Programming On Linux – Greguti Sat, 25 Sep 2021 08:02:57 +0000 en-US hourly 1 Programming On Linux – Greguti 32 32 SiFive HiFive Unparalleled Practices, Initial RISC-V Performance Testing Fri, 24 Sep 2021 13:23:35 +0000

A few weeks ago, I finally received the HiFive Unmatched from SiFive as a flagship RISC-V development board. As a reminder, this is their mini-ITX development board powered by their U740 SoC and equipped with 16 GB of DDR4 system memory, a PCI Express x16 slot that can work with AMD Radeon graphics cards under Linux and other features. It was a pleasure to play with this development platform and attached you will find some early benchmarks showing the performance of the U740 as well as the evolution of Linux software support / performance.

The SiFive HiFive Unmatched is what many developers and enthusiasts have long been waiting for and started shipping this summer after being announced late last year. The mini-ITX card is powered by a 24 pin ATX power connection, the PCI Express x16 slot (at PCIe x8 speeds) can power a graphics card if you want to use this card as a workstation, 16 GB DDR4 is sufficient for most of today’s development needs, there’s built-in Gigabit Ethernet, support for microSD and NVMe M.2 storage, an M.2 dongle slot for WiFi / Bluetooth and four ports USB 3.2 Gen1.

The SiFive FU740 SoC that powers this development board has four SiFive U74 cores with one SiFive S7 core.

The HiFive Unmatched is a very good card for those who want to get acquainted with the early work of RISC-V development and other updates for this very promising ISA. The HiFive Unmatched is priced at $ 665, which certainly isn’t on par with the Raspberry Pi price tag, but not too bad either given the limited production and specs of this board. Hopefully, over time, SiFive will be able to produce a map optimized for those who want to experiment with RISC-V on a larger budget.

For those who are wondering about the PCI Express 3.0 x16 slot, it is limited to x8 lanes but can drive a graphics card. SiFive’s documentation lists the Radeon HD 6000 series (not to be confused with the current RX 600000 series) and RX 500 (Polaris) series as supported. AMD’s open source Linux graphics driver stack allows it to be built for RISC-V, but various ISA quirks with the driver seem to be what limit the range of graphics cards supported by the AMDGPU driver on the HiFive Unmatched. Trying a Radeon RX 5000 series Navi graphics card gave no working display, but opting for a Radeon RX 580 graphics card and an older Radeon HD 6770 graphics card worked without a problem. NVIDIA graphics are obviously not supported until they release a Linux RISC-V driver.

As well as having to be aware of the caveats about GPU support if you want to use a display with the HiFive Unmatched, the experience was quite pleasant and easy going for RISC-V races.

]]> 0
10 Best API Security Testing Tools Thu, 23 Sep 2021 09:00:00 +0000

Application programming interfaces (APIs) are an essential part of most modern programs and applications. In fact, cloud deployments and mobile apps rely on APIs so much that you also can’t have an API handling the components somewhere along the line. Many large businesses, especially those with a strong online presence, have hundreds or even thousands of APIs built into their infrastructure. The growth of APIs will only continue to increase.

The neat thing about APIs is that a lot of them are just tiny snippets of code, and all of them are designed to be small and unobtrusive in terms of network resource requirements. Yet, they are also flexible and able to continue working and performing their primary functions even if the program they interface with or control changes, such as when patches are applied.

As amazing as APIs are, they also have their flaws. Because they can be designed to do almost anything, from simple functions repeated over and over again to intelligent control of advanced aspects of various programs or platforms, almost no standard governs their creation. Most APIs are unique, and many organizations simply create new APIs as needed. It can be a nightmare for security teams.

Another way APIs are appealing to attackers is that many are over-authorized. Even APIs that only perform a few functions often have privileges close to administrator. The idea is that such a small API couldn’t hurt. Hackers compromise APIs and then use those credentials for new purposes, such as data exfiltration or deeper penetration into a network. Almost 75% of modern ID attacks targeted vulnerable APIs, according to a security study conducted by Akamai.

The problem is getting worse. According to Gartner, by 2022, vulnerabilities involving APIs will become the most frequently attacked vector across all cybersecurity categories.

API testing tools to the rescue

Having a critical network and program component in the sights of attackers is bad enough, but with APIs it is even more precarious due to the lack of standards involved in their creation. Many organizations probably don’t know how many APIs they are using, what tasks they are performing, or what level of permissions they have. Then there is the question of whether these APIs contain vulnerabilities.

Industry and private groups have developed API testing tools and platforms to help answer these questions. Some testing tools are designed to perform a single function, such as mapping the reasons why specific Docker APIs are misconfigured. Others take a more holistic, network-wide approach, researching APIs, then providing information about what they are doing and why they might be vulnerable or over-authorized.

Several well-known commercial API testing platforms are available, as well as a wide range of free or low-cost open source tools. Commercial tools typically have more support options and can be deployed remotely through the cloud or even as a service. Some open source tools can be just as good and have the support of the user community that created them. Which one you choose depends on your needs, the security expertise of your IT teams, and your budget.

Below are some of the best commercial API testing tools on the market and their main features, followed by some open source tools.

Commercial API testing tools and platforms


The APIsec platform acts as a penetration tool for APIs. While many tools can scan for vulnerabilities common to typical attacks such as script injections, APIsec tests every aspect of targeted APIs to ensure that everything from the core network to the endpoints that access them is protected against vulnerabilities. API code.

A great advantage of APIsec is that it can be deployed in the development phase while programming APIs. A full scan of the apps being built takes just minutes, with results comparable to old-school penetration testing operations that took days or weeks.


AppKnox offers a lot of support for those who buy and deploy their platform. Combined with its easy-to-use interface, this makes AppKnox a good choice for organizations that don’t have large security teams dedicated to their APIs. AppKnox begins with a scan to locate APIs either in the production environment, on endpoints, or wherever they can be deployed. Once located, users can select which APIs they wish to submit for further testing.

AppKnox tests all common issues that can cause an API to break or be compromised, such as command injection vulnerabilities in HTTP requests, cross-site tracing, and SQL injection vulnerabilities. This includes a full scan of web servers, databases, and all server components that interact with the API.

After the API analysis, users can submit their results for advanced analysis with a human security researcher, a process that the company says normally takes three to five days.

Secure API data theorem

The Data Theorem API Secure platform is designed to adapt to any continuous integration and continuous delivery / deployment (CI / CD) environment to provide continuous security to APIs at every stage of development and in the environment. of production. Its analytics engine constantly searches the network for new APIs and can quickly identify those that are not allowed or those that are part of an organization’s shadow IT.

The scan engine keeps abreast of the most recent vulnerabilities discovered for APIs and continually tests protected assets. It works with both on-premises and cloud environments to ensure that no API can fall victim to the latest threats. To keep the CI / CD pipeline clear and fluid, Data Theorem API Secure offers to automatically resolve discovered issues without requiring human innovation. This way, companies can protect their APIs against the latest threats, as long as they are comfortable with a high level of automation.


While Postman certainly qualifies as a testing tool for APIs, its reputation is that of a comprehensive and collaborative platform for building secure APIs. It’s used by millions of developers working in Windows, Linux, and iOS environments, and for good reason.

Postman provides developers with a comprehensive set of API tools to use when designing new APIs, and it also provides a secure repository for code that organizations can create over time. Using the secure repository can ensure that future APIs maintain strict security and organizational standards from the start.

The workspaces provided by Postman are designed to help developers organize their work. It can also provide security warnings when an application’s code begins to deviate from the organization’s established secure model or incorporates a potential vulnerability. This way, the problem can be fixed long before the API reaches the production environment.

Smartbear ReadyAPI

In addition to security testing, the Smartbear ReadyAPI platform is designed to optimize their use and performance in any environment. It can run API security scan with one click, but it also supports other critical functions like seeing how well an API can handle unexpected load or sudden spike in usage.

You can configure ReadyAPI to generate the specific types of traffic that the API is intended to handle. It can also record live API traffic so that future testing is more accurate and configured for the unique environment in which it will operate. Additionally, the platform can import almost any specification or schema to test APIs using the most common protocols. Natively, ReadyAPI supports Git, Docker, Jenkins, Azure DevOps, TeamCity and more, and can run in any environment, from development to QA long before APIs go live.

Synopsis API Scanner

One of the reasons Synopsis API Scanner is so powerful is that in addition to security testing, it also incorporates fuzzing as part of its extensive analysis and testing suite. The fuzzing engine sends thousands of unexpected, invalid, or random inputs to APIs to see how they behave or if they break when subjected to things like very large numbers or odd commands.

It also traces all the paths and logic of an entire API, including all endpoints, settings, authentications, and specifications that apply to its use. This gives developers a clear picture of what functions they intend their APIs to perform, versus what they might sometimes be doing. It clearly indicates why an API can be prone to unexpected behavior or security vulnerabilities.

Open source API testing tools

While open source tools typically don’t have the same support as commercial offerings, experienced developers can easily deploy them, often for free, to bolster or improve the security of their APIs. Here are some of the most popular offers according to the open source community.


Astra’s primary focus is on Representation State Transfer (REST) ​​APIs, which can be extremely difficult as they often change all the time. Because the REST architectural style emphasizes scalability in its interactions between components, it can be difficult to secure REST APIs over time. Astra helps by offering to integrate into the CI / CD pipeline, verifying that the most common vulnerabilities do not spill over into a supposedly safe REST API.


The crAPI tool has a terrible name, but it effectively performs its function as an API wrapper. It is one of the few wrappers that can connect to a target system and provide a base path with the root client’s default handler set. It can do this without having to make new connections. Advanced API developers can save a lot of time with it.

Apache JMeter

Apache JMeter, which unsurprisingly is written in Java, started out as a load tester for web applications, but has recently expanded to be used with almost any application, program, or API. Its detailed suite can test performance on static or dynamic resources. It can generate a heavy simulated load of realistic traffic so developers can experience how their API will perform under pressure.


Taurus provides an easy way to turn stand-alone API testing programs into a continuous testing operation. On the surface, Taurus is easy to use. You install it, create a configuration file, and let your testing tools do their job. If you dig a little under the hood, you can discover ways to generate interactive reports, create more complex scenarios to push through your APIs, and set failure criteria so that you can immediately resolve any issues you discover.

Copyright © 2021 IDG Communications, Inc.

]]> 0
At 75, the Ojai Music Festival remains focused on the future Wed, 22 Sep 2021 19:40:06 +0000

OJAI, Calif .– The return is a process. It is rarely linear.

The Ojai Music Festival, for example, returned September 16-19 to celebrate its 75th anniversary after a long pandemic absence. But there have been setbacks among the returns. Compromises were made to accommodate her move from spring to the last days of summer. An artist has been detained in Spain by travel restrictions. Diligently enforced security measures have slightly hardened the mood of this historic event, a harsh yet relaxing haven for contemporary music nestled in an idyllic valley of deadpan mysticism and sweet Pixie tangerines.

This edition of the festival is the first under the leadership of Ara Guzelimian, back at the helm after a race in the 1990s. Each year, the person in his position organizes the programming with a new musical director; for Guzelimian’s debut, he chose composer John Adams, the paterfamilias of American classical music, who was born in the year of the first festival. Uninterested in a retrospective for this milestone anniversary, they presented their concerts as a prospective survey of young artists, which befits a festival that has long focused on the future.

But in music, the past, present and future always inform each other. Bach and Beethoven haunted new and recent works; pianist Vikingur Olafsson treated Mozart, as he likes to say, as if the ink had just dried on the sheet music. There is no future without looking back.