Testing APIs in the Cloud

Erik R. Yverling | SmartBear

Testing APIs in the Cloud

Erik R. Überling | SmartBear

Testing APIs in the Cloud

A little bit about me

• Developer at SmartBear working on soapUI

• Lives in Stockholm, Sweden

• Agile enthusiast

• Linux and Open Source lover

• Just another fellow geek

No code :(

Recommendations!

Overview

• Golden age of APIs

• Testing APIs

• Testing APIs in the Cloud

• Testing APIs from the Cloud

• Recommendations

Golden age of APIs

Golden age of APIs

• APIs are at the core of business strategies – not just

technology strategies

Source: programmableweb.com

Year

Reg

istr

ed

AP

Is

APIs are growing rapidly

Testing APIs

API

Quality aspects of APIs

• Functionality – does it work as expected?

• Performance – does it perform as required?

• Security – is it secured for common attacks?

• Usability – is it usable?

• Compliance – does it follow common practices?

How are APIs tested?

APIs generally implement a request-response

model for exchanging messages or data

API Test

Parameterized Request

Response

A simple test sends a request message and validates

that the response message has the expected content

Testing APIs in the Cloud

API

APIs + the Cloud = true

• High availability

• High scalability

• Easy deployment on the locations of your customer

Quality aspects of cloud APIs

• Functionality – does it work as expected?

• Performance – does it perform as required?

• Security – is it secured for common attacks?

• Usability – is it usable?

• Compliance – does it follow common practices?

• Policy and regulations– does it follow your legal regulations?

Functionality

• Does it matter where your API is deployed?

– Timestamps?

– Time zones?

– Locales?

Performance

• How to handle shared resources with others?

• How to make sure that the API is able to scale?

Security

• How to handle sensitive transactions to your

backend?

Policy and regulations

• How much of your traffic that is allowed to cross

country boarders?

• US export controls

• Is there a limit for load testing?

• What about costs related to transactions?

Policy and regulations

• What happens if your API stops working?

Testing APIs from the Cloud

API

Test Environment

as a service (TEaaS)

API

Quality aspects of APIs tested from the Cloud

• Functionality – does it work as expected?

• Performance – does it perform as required?

• Security – is it secured for common attacks?

• Usability – is it usable?

• Compliance – does it follow common practices?

• Policy and regulations– does it follow your legal regulations?

Functionality

• How will your application react to request from

different locations?

Performance

• How will your API react on distributed load?

Security

• Will you be able to test your API from all kinds of

locations?

• Is there some locations that should not be able to

reach the API?

Whoa!

Using the Cloud seams like a lot of work!

Recommendations!

Testing APIs in the Cloud

API

Functionality

• Reuse test cases during development for monitoring

In Agile you have

“Continuous Integration”

API Test should be run automatically and

continuously for every build of the software

In DevOps you have

“Continuous Deployment”

API Monitors run continuously to

ensure operations and production quality

Agile

Business Development Operations

DevOps

Benefits of Test Asset Reuse

Development :

Continuous Integration / Deployment

Operations : API Monitoring

API Tests and

Quality Assets

Functionality

• Reuse test cases during development for monitoring

• Start with a local baseline setup to compare with

• Mock out external dependencies to begin with

• Mind the backwards compatibility

Functionality

• Run regression tests against different locations

• Designing your application for failure recovery

Performance

• Make performance requirements

• Experiment with the load

• Parallelize

• Consider using dedicated machines

• Use monitoring together with the load test

Performance

• Run load tests in an isolated environment for root

cause analysis

• Chaos monkey!

Security

• Make security requirements

• Encrypt sensitive transactions to your backend

• Encrypt data before sending it to the Cloud

• Find out who is responsible for the different aspects

of security

Policy and regulations

• Check the legal implications with your company

experts

• Check what backup/recovery solution your provider

offers

• Check the providers regulations for load testing

• Do a calculation on what it may cost you to run your

load tests

Compliance

• Don’t always follow standards to the letter (others

may not).

• Look for best practices and reference

implementations

Testing APIs from the Cloud

API

Functionality

• Beware of from where you tests are run

• Run functional tests that depends on a geographical

location from that actual geographical location

• Easily create nodes in your test lab for different client

setups

Performance

• Use distributed load testing for better performance

• Scale your test suite along with your API

Security

• Make sure to cover locations that should not be able

to access the API

• Be aware of firewalls if your API is protected

Summary

• Golden age of APIs

• Testing APIs

• Testing APIs in the Cloud

• Testing APIs from the Cloud

• Recommendations

Try this at home!

• Check out soapUI Test On Demand

• http://www.soapui.org

?

Contact

• @erikryverling

• @soapui

• [email protected]