Ensuring that your APIs are delivering the necessary level of security, reliability, and performance inevitably involves developing, continuously executing, and religiously maintaining a broad array of complex tests.
Here are 5 key API testing “must haves” that will help you achieve this:
Exposing services as APIs without proper hardening is like bringing your child to a “developing” country without first obtaining the recommended immunizations. Fortunately, the tools and strategies for achieving the proper hardening are an extension of those that have proven effective for SOA testing—just as the process of administering the immunizations required for foreign travel is essentially an extension of administering the recommended domestic ones.
As the extreme exposure and misuse potential of APIs makes testing a broad range of conditions and corner cases critical, automation comes to the forefront. The creation and execution of simple automated tests with limited or manual validation might have sufficed given the internal scope of SOA, but more sophisticated and extensive automation is required to be confident that your APIs are robust enough to survive in the wild. You need a level of automation that gives you a comprehensive set of functional test cases that can be repeated in a systematic manner.
Recommended capabilities for this goal include an intuitive interface for automating complex scenarios across the messaging layer, ESBs, databases, and mainframes:
Continuously evolving APIs helps organizations stay a step ahead of the competition while responding to business demands. Yet, this frequent change presents significant quality risks if the automated test suite fails to keep pace with the evolving API.
A system for fast, easy, and accurate updating of test assets is critical for keeping test assets in sync with the changing API. If you can automatically assess the impact of changes to existing tests and then quickly update existing tests (or create new ones) in response to the identified change impacts, you can vastly reduce the amount of time required to ensure that your tests don’t fail due to expected changes…or overlook critical new functionality.
Service Virtualization technology creates simulated test environments that provide anytime, anywhere access to the behavior of dependent system components that are unavailable, difficult to access, or difficult to configure for development or testing. “Dependent components” might include mainframes, mobile app front-ends, databases, web services, third-party applications, or other systems that are out of your team’s direct control. Service virtualization can be used in conjunction with hardware/OS virtualization to access the environments you need to test earlier, faster, or more completely.
In the context of API testing, service virtualization can be applied in two key ways:
Due to the highly-exposed nature of APIs, there’s a high potential for unpredictable and often volatile traffic volumes. To determine whether your API will satisfy SLAs in the event of the erratic or surging demand that APIs commonly face, it’s essential to ramp up the scope of performance testing. You can use service virtualization (covered above) to create simulated test environments that help you test against different performance scenarios that would otherwise be difficult to create in the test environment.
For instance, you can easily set performance conditions (e.g., timing, latency, delay) to emulate peak, expected, and slow performance—perhaps to help you plan for cloud bursts or determine how the API might respond when someone is accessing it from China. You can also configure various error and failure conditions that are difficult to reproduce or replicate with real systems—for instance, if your APIs rely on Amazon Web Services, you can easily simulate a scenario where AWS is down. This ability to rapidly configure a broad range of conditions in dependent systems is essential for determining if your APIs provide reasonable responses—or at least fail gracefully—under exceptional conditions.
One final way that adopting service virtualization helps performance testing: you can “virtualize” any connections to third-party systems, reliably eliminating the risk that your stress tests might impact services you aren’t permitted (or budgeted) to barrage with test messages.
Considering APIs’ increased attack surface area, a multi-faceted security testing strategy is essential for ensuring that development has built the appropriate level of security into your application. This includes:
In addition, if you’re adopting service virtualization (covered above) you can leverage it to take your security testing to the next level:
ResearchWant to learn more about API Testing? Download a complimentary Forrester Wave report that evaluates 9 functional test automation tool vendors across 40 criteria to help organizations working on enterprise, mobile, and web applications select the right tool.
Parasoft’s industry-leading automated software testing tools support the entire software development process, from when the developer writes the first line of code all the way through unit and functional testing, to performance and security testing, leveraging simulated test environments along the way.