• Search for:
    8Jun, 2024
    6 Types of Applications Security Testing You Must Know About

    Application security testing is a critical component of modern software development, ensuring that applications are robust and resilient against malicious attacks. As cyber threats continue to evolve in complexity and frequency, the need to integrate comprehensive security measures throughout the SDLC has never been more essential. Traditional pentesting provides a crucial snapshot of an application’s security posture, but when integrated across the SDLC, it allows for early detection and mitigation of vulnerabilities, reducing the risk of costly post-deployment fixes and enhancing overall security.

    While the specifics for security testing vary for applications, web applications, and APIs, a holistic and proactive applications security strategy is essential for all three types. There are six core types of testing that every security professional should know about to secure their applications, regardless of what phase they are in in development or deployment.

    In this article, we will explore these six types of application security testing methods essential to keep your software secure from potential threats while meeting your business and operational requirements. These include:

    1. Penetration testing for the SDLC
    2. Dynamic Application Security Testing (DAST)
    3. Static Application Security Testing (SAST)
    4. Interactive Application Security Testing (IAST)
    5. Fuzz Testing for APIs
    6. Application Security Posture Management (APSM)

    Application Security Testing Methods

    There is no doubt that pentesting is a crucial aspect of security testing, but often is a point-in-time assessment that simulates attacks to identify vulnerabilities. In contrast, the other pentesting methods are more integrated into the application development and maintenance processes, providing continuous or more frequent pentesting and scanning assessments, focusing on different aspects of the application lifecycle, and using various automated and manual techniques.

    Before we review the six main types of application security testing, organizations often want to understand the difference between these methods and penetration testing. Each of these methods has distinct characteristics and objectives, differing from traditional pentesting in various ways. Here’s a quick breakdown of each method compared to pentesting; however, these methods are often integrated or overlap with penetration testing, and all are part of a proactive approach to application security testing at different stages of the development lifecycle.

    1. Penetration Testing for the SDLC: 

    Penetration integrated into the Software Development Life Cycle (SDLC) involves conducting security assessments at various stages of the development process. This ensures vulnerabilities are identified and mitigated early, before the application is deployed. Pentesting can be done during the design, coding, testing, and deployment phases to continuously assess the security posture of the application.

    • Integrated into the Software Development Life Cycle (SDLC) to identify vulnerabilities throughout development
    • Conducted at various stages (e.g., design, development, testing, deployment)
    • Aims to catch and fix vulnerabilities early in the SDLC, reducing the cost and effort of remediation
    • Should be an automated, continuous, and iterative assessment compared to traditional pentesting (periodic)

    Top Three Benefits: 

    • Early Detection and Mitigation of Vulnerabilities: Identifying security issues early in the SDLC prevents them from progressing to later stages, where they become more costly and difficult to fix.
    • Cost Efficiency: Fixing vulnerabilities early in development is less expensive than addressing them post-deployment, saving resources and reducing remediation costs.
    • Continuous Improvement and Compliance: Regular pentesting throughout the SDLC promotes continuous security improvements and ensures compliance with industry standards and regulations, building customer trust.

    2. Dynamic Application Security Testing (DAST)

    Dynamic Application Security Testing (DAST) is a type of security testing that analyzes a running application from the outside to identify vulnerabilities. It simulates external attacks to discover security flaws in the application’s runtime environment without accessing the source code.

    • Tests applications from the outside in, simulating an external attack.
    • Performed on running applications without access to source code.
    • Focuses on identifying runtime vulnerabilities like SQL injection, XSS, etc.
    • Provides immediate feedback on security issues during the testing phase.

    Pentesting:

    • May involve both external and internal assessments, including source code reviews
    • Can encompass a broader range of attack vectors and techniques
    • Less automated and more reliant on the skills and creativity of the human tester

    Top 3 Benefits:

    • Runtime Vulnerability Detection: DAST identifies vulnerabilities that manifest during the application’s execution, such as SQL injection and cross-site scripting (XSS).
    • Immediate Feedback: Provides real-time feedback on security issues, allowing developers to quickly address and fix vulnerabilities.
    • No Source Code Access Needed: DAST can be performed without access to the application’s source code, making it suitable for testing third-party applications or legacy systems.

    3. Static Application Security Testing (SAST)

    Static Application Security Testing (SAST) involves analyzing an application’s source code, bytecode, or binary code for security vulnerabilities without executing the program. It helps identify issues like insecure coding practices and code-level vulnerabilities early in the development process.

    • Analyzes source code, bytecode, or binary code for vulnerabilities without executing the program
    • Performed early in the development process (during coding)
    • Helps identify issues like buffer overflows, insecure coding practices, and other code-level vulnerabilities
    • Provides insights into code quality and security best practices

    Pentesting:

    • More focused on the application in its deployed state and less on the underlying code
    • Identifies vulnerabilities that can be exploited in a running system rather than just in the code

    Top 3 Benefits:

    • Early Detection of Code-Level Issues: Identifies vulnerabilities and insecure coding practices during the coding phase, reducing the risk of security flaws progressing to later stages.
    • Improved Code Quality: Encourages adherence to secure coding standards and best practices, leading to overall better-quality code.
    • Cost-Effective Remediation: Fixing vulnerabilities during development is more cost-effective than addressing them after deployment.

    4. Interactive Application Security Testing (IAST)

    Interactive Application Security Testing (IAST) combines elements of both SAST and DAST by analyzing an application’s code and monitoring its behavior during runtime. IAST provides real-time feedback on security issues as the application is exercised, offering a comprehensive assessment of both code and runtime vulnerabilities.

    • Combines elements of both SAST and DAST by analyzing code and monitoring application behavior during runtime
    • Provides real-time feedback on vulnerabilities as the application is exercise.
    • More comprehensive as it can detect issues that manifest during execution and at the code level
    • Integrated into the development and testing process for continuous monitoring

    Pentesting:

    • Usually performed as a separate activity from development, providing a point-in-time assessment
    • Relies on manual and automated techniques but lacks the continuous, real-time feedback loop of IAST

    Top 3 Benefits:

    • Comprehensive Vulnerability Detection: Detects vulnerabilities at both the code level and during runtime, providing a thorough security assessment.
    • Real-Time Feedback: Offers immediate insights into security issues, enabling rapid identification and remediation.

    Continuous Monitoring: Integrated into the development and testing process, IAST supports continuous security assessment and improvement.

    5. Fuzz Testing for APIs

    Fuzz Testing, or Fuzzing, for APIs involves sending random, malformed, or unexpected data to an API to identify vulnerabilities, crashes, or unexpected behaviors. It helps uncover issues that might not be found through traditional testing methods

    • Involves sending random or malformed data to APIs to identify unexpected behaviors or vulnerabilities
    • Effective at finding buffer overflows, crashes, and other stability issues
    • Typically, automated and can uncover flaws that may not be identified through traditional testing methods

    Pentesting:

    • May include some elements of fuzz testing but is broader in scope
    • It focuses on finding and exploiting a wide range of vulnerabilities, not just those related to input handling

    Top 3 Benefits:

    • Uncover Hidden Vulnerabilities: Identifies buffer overflows, crashes, and other stability issues that traditional testing methods might miss.
    • Automation-Friendly: This can be automated, allowing for extensive testing of various input scenarios without manual intervention.
    • Improved API Robustness: Enhances the overall robustness and reliability of APIs by ensuring they can handle unexpected inputs gracefully.

    6. Application Security Posture Management (APSM)

    Application Security Posture Management (APSM) focuses on continuously managing and maintaining the security posture of applications throughout their lifecycle. It involves monitoring, vulnerability management, policy enforcement, and compliance checks to ensure ongoing security and adherence to industry standards.

    • Focuses on managing and maintaining the security posture of applications throughout their lifecycle
    • It involves continuous monitoring, vulnerability management, policy enforcement, and compliance checks
    • Aims to ensure ongoing security and compliance with industry standards and regulations
    • Often integrates with various security tools and processes for a comprehensive approach

    Pentesting:

    • Provides a snapshot of an application’s security at a specific point in time
    • Doesn’t offer the continuous monitoring and management aspect of APSM

    Top 3 Benefits:

    • Continuous Security Monitoring: Provides ongoing assessment of application security, ensuring vulnerabilities are identified and addressed promptly.
    • Enhanced Compliance: Helps maintain compliance with security regulations and standards, reducing the risk of regulatory penalties.
    • Proactive Risk Management: Supports proactive identification and mitigation of security risks, improving the overall security posture and reducing potential attack surfaces.

    The six types of application security testing methods are not isolated practices; rather, they complement and reinforce each other to provide a comprehensive security assessment. DAST evaluates the application in its running state, identifying runtime vulnerabilities, while SAST analyzes the source code to catch security issues early in development. IAST combines these approaches, offering real-time insights during runtime and code analysis, making it a powerful tool for continuous security assessment. Fuzz Testing for APIs focuses on ensuring API robustness against unexpected inputs, while APSM provides ongoing management and monitoring of the application’s security posture, ensuring compliance and proactive risk mitigation. Together, these methods create a robust security framework that can adapt to the dynamic nature of software development and the evolving threat landscape.

    In conclusion, the integration of diverse application security testing methods is vital for developing secure, resilient applications. Each method addresses unique security challenges, and their combined use ensures comprehensive coverage, early detection, and continuous improvement. By leveraging the strengths of all of the security methods, security professionals and their organizations can build a proactive AppSec security approach that complements one another, secure your applications against current threats, and also adapts to future risks.

    Ref: https://thehackernews.com/2024/07/6-types-of-applications-security.html

    26Dec, 2023
    MySQL Servers, Docker Hosts Infected With DDoS Malware

    Attackers are targeting MySQL servers and Docker hosts to plant malware capable of launching distributed denial-of-service (DDoS) attacks, according to a warning from researchers at the AhnLab Security Emergency Response Center.

    According to AhnLab, attacks targeting MySQL on Windows have increased in frequency with vulnerable MySQL servers infected with ‘Ddostf’, a DDoS-capable botnet of Chinese origin that has been around since at least 2016.

    Malicious attackers, AhnLab warns, scan the internet for publicly-accessible MySQL servers using the TCP port 3306, and then attempt to compromise them either using weak credentials or exploiting known vulnerabilities.

    The attackers then upload a malicious DLL as a UDF (User-Defined Function) library, which allows them to execute commands on the infected system and to deploy and execute the Ddostf malware.

    Targeting both Linux and Windows environments, Ddostf achieves persistence and then collects system information and sends it to the command-and-control (C&C) server. It then waits for commands to launch DDoS attacks such as SYN, UDP, and HTTP GET/POST floods.

    “Although most of the commands supported by Ddostf are similar to those from typical DDoS bots, a distinctive feature of Ddostf is its ability to connect to a newly received address from the C&C server and execute commands there for a certain period,” AhnLab explained.

    The malware appears to be designed solely for launching DDoS attacks and the researchers believe the threat actor is operating a DDoS-for-hire service.

    OracleIV DDoS-capable malware

    Separately, Cado Security is warning in a new report that Docker hosts are being targeted with the OracleIV DDoS-capable malware, via the Docker Engine API, an HTTP API served by Docker Engine.

    Attackers are scanning for publicly-exposed instances of the Docker Engine API to deploy a malicious container that hosts Python malware compiled as an ELF executable.

    According to Cado, the accidentally exposed Docker Engine API instances have been a popular target for attackers in recent years, especially for deploying cryptocurrency miners. “Once a valid endpoint is discovered, it’s trivial to pull a malicious image and launch a container from it to carry out any conceivable objective. Hosting the malicious container in Dockerhub, Docker’s container image library, streamlines this process even further,” the company said.

    Cado said it observed attackers making HTTP POST requests to retrieve a malicious image from Dockerhub and spawn a container from it. The malicious Docker image, Cado says, has over 3,000 pulls and appears to be updated regularly.

    Baked within the image, OracleIV supports commands for UDP, UDP_PPS, SSL, SYN, HTTP/GET, and SLOW flood attacks, although some of the functions are not working.

    Resource : https://www.securityweek.com/mysql-servers-docker-hosts-infected-with-ddos-malware/

    18Dec, 2023
    MongoDB Suffers Security Breach, Exposing Customer Data

    MongoDB on Saturday disclosed it’s actively investigating a security incident that has led to unauthorized access to “certain” corporate systems, resulting in the exposure of customer account metadata and contact information.

    The American database software company said it first detected anomalous activity on December 13, 2023, and that it immediately activated its incident response efforts.

    It further noted that “this unauthorized access has been going on for some period of time before discovery,” but emphasized it’s not “aware of any exposure to the data that customers store in MongoDB Atlas.” It did not disclose the exact time period of the compromise.

    In light of the breach, MongoDB recommends that all customers be on the lookout for social engineering and phishing attacks, enforce phishing-resistant multi-factor authentication (MFA), as well as rotate their MongoDB Atlas passwords.

    That’s not all. The company said it’s also experiencing elevated login attempts that are causing issues for customers attempting to log in to Atlas and its Support Portal. It, however, said the problem is unrelated to the security event.

    When reached for comment, MongoDB told The Hacker News that the incident is a matter of ongoing investigation and that it will “provide updates as soon as we can.”

    Resource : https://thehackernews.com/2023/12/mongodb-suffers-security-breach.html

    16Dec, 2023
    New Security Vulnerabilities Uncovered in pfSense Firewall Software – Patch Now

    Multiple security vulnerabilities have been discovered in the open-source Netgate pfSense firewall solution called pfSense that could be chained by an attacker to execute arbitrary commands on susceptible appliances.

    The issues relate to two reflected cross-site scripting (XSS) bugs and one command injection flaw, according to new findings from Sonar.

    “Security inside a local network is often more lax as network administrators trust their firewalls to protect them from remote attacks,” security researcher Oskar Zeino-Mahmalat said.

    “Potential attackers could have used the discovered vulnerabilities to spy on traffic or attack services inside the local network.”

    Impacting pfSense CE 2.7.0 and below and pfSense Plus 23.05.1 and below, the shortcomings could be weaponized by tricking an authenticated pfSense user (i.e., an admin user) into clicking on a specially crafted URL, which contains an XSS payload that activates command injection.

    A brief description of the flaws is given below –

    • CVE-2023-42325 (CVSS score: 5.4) – An XSS vulnerability that allows a remote attacker to gain privileges via a crafted url to the status_logs_filter_dynamic.php page.
    • CVE-2023-42327 (CVSS score: 5.4) – An XSS vulnerability that allows a remote attacker to gain privileges via a crafted URL to the getserviceproviders.php page.
    • CVE-2023-42326 (CVSS score: 8.8) – A lack of validation that allows a remote attacker to execute arbitrary code via a crafted request to the interfaces_gif_edit.php and interfaces_gre_edit.php components.

    Reflected XSS attacks, also called non-persistent attacks, occur when an attacker delivers a malicious script to a vulnerable web application, which is then returned in the HTTP response and executed on the victim’s web browser.

    As a result, attacks of this kind are triggered by means of crafted links embedded in phishing messages or a third-party website, for example, in a comment section or in the form of links shared on social media posts. In the case of pfSense, the threat actor can perform actions in the firewall with the victim’s permissions.

    “Because the pfSense process runs as root to be able to change networking settings, the attacker can execute arbitrary system commands as root using this attack,” Zeino-Mahmalat said.

    Following responsible disclosure on July 3, 2023, the flaws were addressed in pfSense CE 2.7.1 and pfSense Plus 23.09 released last month.

    The development comes weeks after Sonar detailed a remote code execution flaw in Microsoft Visual Studio Code’s built-in integration of npm (CVE-2023-36742, CVSS score: 7.8) that could be weaponized to execute arbitrary commands. It was addressed by Microsoft as part of its Patch Tuesday updates for September 2023.

    Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.

    Resource : https://thehackernews.com/2023/12/new-security-vulnerabilities-uncovered.html

    6Dec, 2023
    15,000 Go Module Repositories on GitHub Vulnerable to Repojacking Attack

    New research has found that over 15,000 Go module repositories on GitHub are vulnerable to an attack called repojacking.

    “More than 9,000 repositories are vulnerable to repojacking due to GitHub username changes,” Jacob Baines, chief technology officer at VulnCheck, said in a report shared with The Hacker News. “More than 6,000 repositories were vulnerable to repojacking due to account deletion.”

    Collectively, these repositories account for no less than 800,000 Go module-versions.

    Repojacking, a portmanteau of “repository” and “hijacking,” is an attack technique that allows a bad actor to take advantage of account username changes and deletions to create a repository with the same name and the pre-existing username to stage open-source software supply chain attacks.

    Earlier this June, cloud security firm Aqua revealed that millions of software repositories on GitHub are likely vulnerable to the threat, urging organizations that undergo name changes to ensure that they still own their previous name as placeholders to prevent such abuse.

    Modules written in the Go programming language are particularly susceptible to repojacking, as unlike other package manager solutions such as npm or PyPI, they are decentralized due to the fact that they get published to version control platforms like GitHub or Bitbucket.

    “Anyone can then instruct the Go module mirror and pkg.go.dev to cache the module’s details,” Baines said. “An attacker can register the newly unused username, duplicate the module repository, and publish a new module to proxy.golang.org and go.pkg.dev.”

    To prevent developers from pulling down potentially unsafe packages, GitHub has in place a countermeasure called popular repository namespace retirement that blocks attempts to create repositories with the names of retired namespaces that have been cloned more than 100 times prior to the owners’ accounts being renamed or deleted.

    But VulnCheck noted that this protection isn’t helpful when it comes to Go modules as they are cached by the module mirror, thereby obviating the need for interacting with or cloning a repository. In other words, there could be popular Go-based module repositories that have been cloned less than 100 times, resulting in a bypass of sorts.

    “Unfortunately, mitigating all of these repojackings is something that either Go or GitHub will have to take on,” Baines said. “A third-party can’t reasonably register 15,000 GitHub accounts. Until then, it’s important for Go developers to be aware of the modules they use, and the state of the repository that the modules originated from.”

    The disclosure also comes as Lasso Security said it discovered 1,681 exposed API tokens on Hugging Face and GitHub, including those associated with Google, Meta, Microsoft, and VMware, that could be potentially exploited to stage supply chain, training data poisoning, and model theft attacks.

    Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.

    Resource : https://thehackernews.com/2023/12/15000-go-module-repositories-on-github.html?&web_view=true

    24Nov, 2023
    Introducing Bambdas

    You’ve might have heard of Lambdas. But have you heard of Bambdas? They’re a unique new way to customize Burp Suite directly from the UI, using only small snippets of Java.

    Changing the face of Burp Suite

    The introduction of Bambdas exposes some of the core “behind the scenes” functionality of Burp Suite for the very first time. In essence, as the feature is rolled out across various tools within Burp Suite, you’ll be able to customize Burp to make it work in exactly the way that you want it to.

    The possibilities contained within the Bambdas functionality are theoretically endless. As the feature develops, we believe it’ll enable you to replace the age-old frustrated cry of “Why can’t Burp do this?” with a shiny new phrase. “I wonder if I can create a Bambda to make this work the way I need it to?”.

    How to work with Bambdas

    The first Bambda we’ve introduced enables you to write custom filters for the Proxy HTTP history. To help you get to grips with the unique potential of this functionality, we’ve created some examples to showcase some interesting request and response filters you might want to try.

    Find requests with a specific cookie value

    //Find requests with a specific cookie value
    if (requestResponse.request().hasParameter("foo", HttpParameterType.COOKIE)) {
    var cookieValue = requestResponse
    .request()
    .parameter("foo", HttpParameterType.COOKIE)
    .value();

    return cookieValue.contains("1337");
    }

    return false;

    Find JSON responses with wrong Content-Type

    //Find JSON respones with wrong Content-Type
    //The content is probably json but the content type is not application/json

    var contentType = requestResponse.response().headerValue("Content-Type");

    if (contentType != null && !contentType.contains("application/json")) {
    String body = requestResponse.response().bodyToString().trim();

    return body.startsWith( "{" ) || body.startsWith( "[" );
    }

    return false;

    Find role within JWT claims

    //Find role within JWT claims
    var body = requestResponse.response().bodyToString().trim();

    if (requestResponse.response().hasHeader("authorization")) {
    var authValue = requestResponse.response().headerValue("authorization");

    if (authValue.startsWith("Bearer ey")) {
    var tokens = authValue.split("\\.");

    if (tokens.length == 3) {
    var decodedClaims = utilities().base64Utils().decode(tokens[1], Base64DecodingOptions.URL).toString();

    return decodedClaims.toLowerCase().contains("role");
    }
    }
    }

    return false;

    Some helpful Bambdas code snippets

    Once you’re comfortable with the basics of how Bambdas work, there are a few tricks you might want to utilize to help you get even more value from the functionality. If you’re using something a lot, and want to save yourself some time, you can assign it to a variable. For example:var request = requestResponse.request();

    If you want to check if a parameter exists, and if it’s value is present, you can request it by name and check it for null instead:var cookie = request.parameter("foo", HttpParameterType.COOKIE);

    So that you can see how these code snippets can be applied, we’ve recreated the first example on finding requests with a specific cookie value.

    Hear from the developers of Bambdas

    Sean from the development team is here to introduce you to Bambdas, a unique new way to customize Burp Suite on the fly with small snippets of Java. You’ll learn what a Bambda is, why we’ve built them into Burp Suite, and see a couple of examples of how Bambdas work.

    Resource : https://portswigger.net/blog/introducing-bambdas

    10Nov, 2023
    New BlazeStealer Malware in PyPI Targets Developers

    A new set of malicious Python packages has been discovered on the Python Package Index (PyPI) repository. These packages masquerade as harmless obfuscation tools but contain a malware called BlazeStealer, reported Checkmarx.

    Diving into details

    • The campaign started in January 2023 and includes eight packages – Pyobftoexe, Pyobfusfile, Pyobfexecute, Pyobfpremium, Pyobflite, Pyobfadvance, Pyobfuse, and pyobfgood. 
    • The BlazeStealer malware can execute a number of malicious actions on the infected host, including harvesting sensitive information such as passwords and screenshots, executing arbitrary commands, encrypting files, and disabling Microsoft Defender Antivirus.
    • The malware runs a Discord bot to facilitate communication between the threat actor and the infected system.
    • Most downloads originated from the U.S., China, and Russia, followed by Ireland, Hong Kong, Croatia, France, and Spain.

    Related incidents

    • Phylum uncovered a set of npm modules—puma-com, erc20-testenv, blockledger, cryptotransact, and chainflow–that can stealthily deliver a next-stage malware.
    • In October, Checkmarx observed a sophisticated attacker deploying malicious packages in PyPi and npm, accumulating nearly 75,000 downloads. The campaign was launched in April.

    The bottom line

    Open-source software provides a rich environment for germinating new ideas, but it also requires a healthy dose of skepticism. Developers must stay alert and thoroughly assess the reliability and safety of packages before incorporating them into their work.

    Resource : https://cyware.com/news/new-blazestealer-malware-in-pypi-targets-developers-666fe1bd

    10Nov, 2023
    GitHub Enhances Security Capabilities With AI

    Microsoft-owned code hosting platform GitHub today announced the public preview of three AI-powered features in GitHub Advanced Security.

    Available for GitHub Enterprise Cloud and Enterprise Server customers, Advanced Security provides a series of features to help maintain and improve the quality of code. Some of these features, such as Dependabot, are also available for public repositories.

    In a push for proactive security, GitHub has released tens of new capabilities to Advanced Security over the past year, and is now adding AI into the mix, “to revolutionize how developers build secure applications from the get-go”.

    In addition to code scanning, the platform now offers an ‘autofix’ capability, where AI-generated fixes will be delivered for CodeQL, JavaScript, and TypeScript alerts in developers’ pull requests, enabling them to address issues immediately.

    “These are not just any fixes, but precise, actionable suggestions that will allow you to quickly understand what the vulnerability is and how to remediate it. You can instantly commit these fixes to your code, helping you resolve issues faster and preventing new vulnerabilities from creeping into your codebases,” GitHub says.

    The platform is also leveraging the latest LLMs to identify leaked passwords with lower false positives. The capability is offered as part of secret scanning, currently in limited public beta.

    GitHub’s secret scanning program has 180 partners and provides more than 225 patterns for scanning, and is now leveraging AI to make it easier for code maintainers to create custom patterns to detect secrets unique to their organizations.

    “Through this form-based experience, all you have to do is answer a few simple questions to auto-generate custom patterns in the form of regular expressions. This new feature enables you to execute dry runs in real time to ensure proper scanning before saving the newly created pattern,” GitHub explains.

    Additionally, the platform has updated the security overview dashboard to provide security managers and administrators with access to an analysis of their security alerts and a better view of their security posture, based on risks, remediation, and prevention.

    “We’re thrilled to harness the power of AI to improve the relevance of alerts, speed up remediation, and improve the administrative experience—with the ultimate goal of making your teams happier and more productive, and your code more secure,” GitHub says.

    A spike in generative AI repositories

    Also today, GitHub released a new iteration of its Octoverse report, revealing that an increasing number of developers are building open source generative AI projects, which have made it to “the top 10 most popular open source projects by contributor count in 2023”.

    The number of generative AI projects on GitHub in the first half of 2023 more than doubled compared to the entire 2022, and developers have progressed from research to using pre-trained models and APIs to create generative AI-powered applications.

    Building on top of foundation models, such as ChatGPT, developers leverage LLMs to create APIs, assistants, bots, mobile applications, and plugins, laying the groundwork for mainstream adoption.

    “With almost all developers (92%) using or experimenting with AI coding tools, we expect open source developers to drive the next wave of AI innovation on GitHub,” the platform says.

    The top 20 open source generative AI projects on GitHub are owned by individuals, but the platform expects organizations to start using pre-trained AI models too, as more developers become accustomed to them.

    In terms of contributions to generative AI projects, GitHub has observed a 148% year-over-year growth, with the US, India, and Japan leading the trend, and Hong Kong, the UK, and Brazil following.

    “As more and more developers gain familiarity with building generative AI-powered applications, we expect a growing talent pool to bolster businesses that seek to develop their own AI-powered products and services,” GitHub notes.

    Today, the platform also announced the adoption of LLMs for GitHub Copilot, the AI developer tool that has more than one million paid users. In December, the tool’s users will have access to Copilot Chat, which leverages LLMs to help developers identify errors, debug code, and more.

    “Copilot Chat will be generally available in December 2023 as part of your existing GitHub Copilot subscription, for organizations and individuals. This offering is also available at no cost to verified teachers, students, and maintainers of popular open source projects,” GitHub announced today.

    Resource : https://www.securityweek.com/github-enhances-security-capabilities-with-ai/?web_view=true

    8Nov, 2023
    Performance Development: Unlock Your Team’s Potential

    SHRM defines performance management as “the process of maintaining or improving employee job performance through the use of performance assessment tools, coaching, and counseling as well as providing continuous feedback.”

    But far too many organizations stop at the first part — performance assessment — and miss the opportunity to actually improve employee performance. Only about one in four employees strongly agree that their manager provides meaningful feedback to them or that the feedback they receive helps them do better work. And only 21% of employees strongly agree that their performance is managed in a way that motivates them to do outstanding work.

    Best-in-class organizations are integrating continuous feedback and development to enable more effective performance management. This approach is often referred to as performance development — think of it as the place where performance management meets career development — and it can be a great way to unlock your team members’ full potential.

    The benefits of performance development

    Performance development goes beyond traditional employee reviews to focus on fostering continuous growth, skills enhancement, and career progression.

    Investing in a more robust approach to performance management has many benefits, including: 

    • Building emerging skill sets. Skills sets for jobs have changed by around 25% since 2015 — and this number is expected to grow to 65% by 2030. Effective performance management can help your team members identify and learn the in-demand and emerging skills they need to be successful in their current roles — and in their future ones. 
    • Increasing employee engagement. Performance development demonstrates the direct connection between feedback and career growth, motivating employees to go above and beyond at work. In fact, Gallup found that development is a top driver of employee engagement.
    • Reducing turnover. Continuous feedback and development shows your organization’s commitment to an employee’s long-term success, making your team members more likely to stay. The Josh Bersin Company found that organizations that offer ongoing skill development to their employees are 7.2x more likely to retain and engage their employees than those that don’t.
    • Improving business outcomes. Upskilling, engaging, and retaining talented team members through effective performance development practices can make a tremendous impact on your organization’s success. Companies that facilitate career development are 4x more likely to innovate effectively and 2.6x more likely to exceed financial targets.

    Building a performance management program that encourages career development

    Effective performance management is more than an annual event — it’s an ongoing process of goal setting, employee development, performance evaluation, and rewards. Each should be discussed regularly to nurture an engaged, motivated, and highly skilled workforce.

    Align on goals and performance expectations

    Just 50% of employees clearly understand what’s expected of them at work and only 21% strongly agree they have performance metrics that are within their control. Ambiguity and uncertainty around job expectations can hinder performance and negatively impact engagement.

    Discussing goals and expectations with each of your team members is a critical step toward effective performance management. Employees should understand how their success is being measured and feel empowered to accomplish their goals.

    Begin discussions on goal setting during your employee onboarding process by reviewing the job description, organizational goals, and your team member’s expected impact. Work together to build achievable short- and long-term goals, revisiting them during check-ins and performance reviews to gauge progress and make adjustments. 

    Employees whose managers involve them in goal setting are 3.6x more likely than other employees to be engaged, making this a worthwhile step in your performance management process.

    Build and maintain employee development plans

    Every employee has opportunities to learn and develop — and most want to. More than four out of five employees (83%) say that improving their skills is one of their top priorities

    Hold regular conversations with your team members to learn about each person’s professional growth goals, career aspirations, and skills they’d like to master. Then find the intersection of your team member’s development goals and your business needs to create a personalized performance development plan for each employee. 

    Performance development should go beyond addressing areas for improvement to also include honing strengths, learning emerging skills, and reskilling. Employees’ top motivation to learn is progress toward career goals, so it’s crucial to get your team members’ feedback and buy-in around their development plan to ensure alignment.

    Update development plans as your team members acquire new skills and identify additional opportunities for professional growth. The most effective development plans are flexible to accommodate evolving needs and interests.

    Provide continuous feedback

    Only 21% of U.S. employees strongly agree they have received meaningful feedback in the last week, with nearly half saying they receive feedback a few times a year or less. In other words, most employees don’t get enough performance feedback to understand what they’re doing well or when they need a course correction.

    Effective performance development requires that feedback be given consistently so employees have the guidance they need to be successful in their roles. Things you can do to make sure this happens include:

    • Initiate casual conversations. Let employees know when you see commendable efforts or teachable moments in their day-to-day work. Frequent feedback lets your team members know how you feel about their current performance and guides their development. Record the feedback in your performance management system so it can be referenced during future performance discussions.
    • Plan regular check-ins. Schedule regular one-on-one meetings to discuss progress toward goals, challenges, and development needs. These informal check-ins are a great opportunity to go in-depth on performance development discussions so you can make necessary adjustments to employee goals and development plans. 
    • Conduct regular performance evaluations. Plan comprehensive performance reviews at regular intervals to assess your employee’s overall performance and goal attainment. If you do performance development well, employees shouldn’t be hearing any feedback for the first time during the review process.

    Reward your team members for professional development

    Rewarding your team members for professional development acknowledges their effort and demonstrates the value your organization places on learning and growth. It can also help you retain employees: Compensation and career progression are among the top reasons for turnover.

    Offer raises and promotions as appropriate to reward your team members for developing their skill sets and gaining new experiences. This is particularly important if your employee’s new competencies or responsibilities qualify them for a higher pay grade or job level according to your compensation strategy.

    Final thoughts: Effective performance management is an ongoing process

    Gone are the days where an annual review is considered sufficient to manage employee performance. Modern teams encourage ongoing performance development to help employees achieve professional growth and meet evolving organizational goals. This approach can help you unlock your team’s full potential and drive your company’s success.

    Resource : https://www.linkedin.com/business/talent/blog/learning-and-development/performance-development

    3Nov, 2023
    Lendlease, Google end development deals for San Francisco Bay Area projects

    Nov 3 (Reuters) – Lendlease Group (LLC.AX) and Alphabet’s (GOOGL.O) Google reached a mutual agreement to end development services deals for four master-planned districts in the San Francisco Bay Area, the Australian developer said on Friday.

    “The decision to end these agreements followed a comprehensive review by Google of its real estate investments, and a determination by both organisations that the existing agreements are no longer mutually beneficial given current market conditions,” Lendlease said.

    Google did not immediately reply to Reuters’ request for comment.

    Lendlease in 2019 bagged the contract from Google to develop $15 billion worth of residential and retail space in Sunnyvale, San Jose and Mountain View.

    Under the project, Leandlease was to develop up to 15 million square feet of residential, retail and hospitality space and associated amenities, and Google would develop office space.

    California’s commercial real estate market is one of the hardest hit globally as remote working has reduced the demand for office space amid declining property values and higher debt servicing costs on the back of rising rates.

    In June, Unibail-Rodamco-Westfield (URW.PA), owner of one of the biggest shopping centers in the city decided to walk away after 20 years, hurt by declining sales, occupancy and foot traffic.

    Earlier this year, Lendlease also paused its 47-storey Hayes Point project in central San Francisco, its largest investment in the Americas, looking to line up tenants or find a co-investor.

    Lendlease said it will remove the San Francisco Bay project, which was expected to commence construction in fiscal 2026, from its development pipeline.

    “While market expectations for the project had deflated over the past ~12-18 months, the change is negative for medium term (FY26-28) earnings,” analysts at UBS said.

    Lendlease retained its forecast for fiscal 2024, with core operating return on equity at the lower end of its 8%-10% range.

    Resource : https://www.reuters.com/world/us/lendlease-google-end-development-agreements-san-francisco-bay-area-projects-2023-11-03/