May 11, 2015
Erik R. Yverling | SmartBear
Testing APIs in the Cloud
Erik R. Überling | SmartBear
Testing APIs in the Cloud
A little bit about me
• Developer at SmartBear working on soapUI
• Lives in Stockholm, Sweden
• Agile enthusiast
• Linux and Open Source lover
• Just another fellow geek
No code :(
Recommendations!
Overview
• Golden age of APIs
• Testing APIs
• Testing APIs in the Cloud
• Testing APIs from the Cloud
• Recommendations
Golden age of APIs
Golden age of APIs
• APIs are at the core of business strategies – not just
technology strategies
Source: programmableweb.com
Year
Reg
istr
ed
AP
Is
APIs are growing rapidly
Testing APIs
API
Quality aspects of APIs
• Functionality – does it work as expected?
• Performance – does it perform as required?
• Security – is it secured for common attacks?
• Usability – is it usable?
• Compliance – does it follow common practices?
How are APIs tested?
APIs generally implement a request-response
model for exchanging messages or data
API Test
Parameterized Request
Response
A simple test sends a request message and validates
that the response message has the expected content
Testing APIs in the Cloud
API
APIs + the Cloud = true
• High availability
• High scalability
• Easy deployment on the locations of your customer
Quality aspects of cloud APIs
• Functionality – does it work as expected?
• Performance – does it perform as required?
• Security – is it secured for common attacks?
• Usability – is it usable?
• Compliance – does it follow common practices?
• Policy and regulations– does it follow your legal regulations?
Functionality
• Does it matter where your API is deployed?
– Timestamps?
– Time zones?
– Locales?
Performance
• How to handle shared resources with others?
• How to make sure that the API is able to scale?
Security
• How to handle sensitive transactions to your
backend?
Policy and regulations
• How much of your traffic that is allowed to cross
country boarders?
• US export controls
• Is there a limit for load testing?
• What about costs related to transactions?
Policy and regulations
• What happens if your API stops working?
Testing APIs from the Cloud
API
Test Environment
as a service (TEaaS)
API
Quality aspects of APIs tested from the Cloud
• Functionality – does it work as expected?
• Performance – does it perform as required?
• Security – is it secured for common attacks?
• Usability – is it usable?
• Compliance – does it follow common practices?
• Policy and regulations– does it follow your legal regulations?
Functionality
• How will your application react to request from
different locations?
Performance
• How will your API react on distributed load?
Security
• Will you be able to test your API from all kinds of
locations?
• Is there some locations that should not be able to
reach the API?
Whoa!
Using the Cloud seams like a lot of work!
Recommendations!
Testing APIs in the Cloud
API
Functionality
• Reuse test cases during development for monitoring
In Agile you have
“Continuous Integration”
API Test should be run automatically and
continuously for every build of the software
In DevOps you have
“Continuous Deployment”
API Monitors run continuously to
ensure operations and production quality
Agile
Business Development Operations
DevOps
Benefits of Test Asset Reuse
Development :
Continuous Integration / Deployment
Operations : API Monitoring
API Tests and
Quality Assets
Functionality
• Reuse test cases during development for monitoring
• Start with a local baseline setup to compare with
• Mock out external dependencies to begin with
• Mind the backwards compatibility
Functionality
• Run regression tests against different locations
• Designing your application for failure recovery
Performance
• Make performance requirements
• Experiment with the load
• Parallelize
• Consider using dedicated machines
• Use monitoring together with the load test
Performance
• Run load tests in an isolated environment for root
cause analysis
• Chaos monkey!
Security
• Make security requirements
• Encrypt sensitive transactions to your backend
• Encrypt data before sending it to the Cloud
• Find out who is responsible for the different aspects
of security
Policy and regulations
• Check the legal implications with your company
experts
• Check what backup/recovery solution your provider
offers
• Check the providers regulations for load testing
• Do a calculation on what it may cost you to run your
load tests
Compliance
• Don’t always follow standards to the letter (others
may not).
• Look for best practices and reference
implementations
Testing APIs from the Cloud
API
Functionality
• Beware of from where you tests are run
• Run functional tests that depends on a geographical
location from that actual geographical location
• Easily create nodes in your test lab for different client
setups
Performance
• Use distributed load testing for better performance
• Scale your test suite along with your API
Security
• Make sure to cover locations that should not be able
to access the API
• Be aware of firewalls if your API is protected
Summary
• Golden age of APIs
• Testing APIs
• Testing APIs in the Cloud
• Testing APIs from the Cloud
• Recommendations
Try this at home!
• Check out soapUI Test On Demand
• http://www.soapui.org
?