Blog Spain

Smart API Testing: Automatizado y con Visión de Negocio

Santiago Martínez, Head of QA & Testing

Although the concept of APIs is nothing new in the IT world, it is only fairly recently that APIs and associated management platforms have become the most widely used software development architecture. Almost all new application architectures are being orientated with this paradigm.

A traditional first approach to these tests has been the use of tools such as Postman or SoaPUI to validate the interfaces, but we will need to go further if we want to provide more value and achieve good quality levels from testing in the new API architectures that are emerging.

If we think more deeply about the strategy for approaching these tests, we will realise that they require a different approach than traditional system testing and that we must cover all the areas susceptible to error and improvement in a systematic way. These are systems with many orchestration and communication functionalities, not only internal to the application but also third-party systems, so the test case is complicated.

How do we address this challenge?

Supporting the architecture and development experts on APIs and working side by side with SQA is crucial to prepare a correct approach that goes beyond purely mechanical and functional testing, and that manages to identify most of the possible defects in the software before its release to production.

Firstly, the types of evidence that should be considered in these cases are the usual ones, but with particular emphasis on certain aspects:

• Unit testing: To be managed by development teams, in collaboration with QA.
• Integration testing: This has become much more important than in traditional environments.
• End-to-end testing: Also taking into account the existence of other external systems.
• Security testing: An essential element due to the systems’ exposure to the outside.
• Performance testing: Taking into account load expectations and external interactions. It is also important to control potential response times in the user interface that pull from the API we are testing.

To intelligently define and execute all these types of tests, with speed and efficiency, there are several tactics and principles that can help us:

1. Building an API test automation framework that not only validates “Incoming Message vs. Outgoing Message”, but also provides a business view to these tests, using methodologies like BDD and tools like Karate in API testing.
2. Creating ad hoc accelerators that allow you to validate WDSL or Swagger automatically, for example, so definition errors are not missed.
3. Implementing service virtualisation and using simulators to reduce testing times.
4. Using contract testing. If you establish early on what information the consumer of an API will receive and can make sure that the API producer submits the appropriate information (both in structure and data content), you can anticipate potential problems in that interface. You can use mocking techniques to help you validate functionality as quickly as possible, without needing to involve all the systems. All you’ll need is the production system that is being validated and to establish the Contract to be fulfilled and make sure that you validate its fulfilment in time. You can use open source tools like Pact, which can make this task easier.
5. Automating API performance testing with tools such as LoadUI, Taurus or Postman.
6. Defining pen testing on APIs, which will need to be done in coordination with cybersecurity teams, given their importance. To do this you could use tools for API REST, such as Astra.
7. Defining methodologies for API interoperability testing and standard validation (OpenAPI, OPC Unified Architecture, RAMI 4.0, etc.).
8. Using our automatic API tests as a sanity check in production.

If you are rigorous and exhaustive in the application of these principles, your API systems will be able to improve their quality levels, resulting in more satisfied customers and users.