Each step includes:
- links to a few resources as a starting point, but you are likely to need to do your own additional research as you explore each topic.
- a suggested exercise or two, which focus on reflection, practical application and discussion, as a tool to connect the resources with your reality.
STEP - Distinguishing APIs and web services
An API (Application Programming Interface) is the means by which third parties can write code that interfaces with other code. A Web Service is a type of API that:- is used to exchange data between applications,
- uses a standard defined by W3C,
- has an interface that is depicted in a machine-processable format usually specified as a WSDL (Web Service Description Language), and
- almost always operates over HTTP.
References: API vs Web Service, Difference between web API and web service, Difference between API and web service
- 2013 - What APIs Are And Why They're Important - Brian Proffitt
- 2006 - What are web services (section) - Nicholas Chase
- 2005 - Introduction to Web Services (PDF) - Ioannis G. Baltopoulos
EXERCISE
[1 hour] Once you feel that you understand the difference between APIs and web services, talk to a developer. Ask what APIs and web services exist within the application that you're working on. Work with your developer to draw a simple architecture diagram that shows whereabouts in your application these interfaces are located. Be sure you can distinguish which are APIs and which are web services, and that you know which protocols each interface uses.
[1 hour] Once you feel that you understand the difference between APIs and web services, talk to a developer. Ask what APIs and web services exist within the application that you're working on. Work with your developer to draw a simple architecture diagram that shows whereabouts in your application these interfaces are located. Be sure you can distinguish which are APIs and which are web services, and that you know which protocols each interface uses.
STEP - Understanding SOAP and REST
Learn more about two common implementations of web services and the differences between them:- 2006 - Understanding SOAP (section) - Nicholas Chase
- What is REST? (video) - Todd Fredrich
- 2013 - Understanding SOAP and REST Basics And Differences - John Mueller
- 2008 - How to GET a cup of coffee - Jim Webber, Savas Parastatidis & Ian Robinson
EXERCISE
[1 hour] Find out whether you have any services with both a SOAP and a REST implementation. This means that the same business operation can be served in two different formats through two different APIs. Talk to a developer or technical lead and ask them to demonstrate a request in each implementation. Discuss the differences between these two interfaces and some of the reasons that both exist.
STEP - API and web service testing
Discover the tools available and some common mnemonics to approach web service testing:- 2014 - API Testing: Why it matters and how to do it - Michael Churchman
- 2013 - Johnny mnemonic - ICEOVERMAD - Ash Winter
- The API Testing Dojo - Smart Bear
- 2015 - API Testing: UI Tools - Avinash Shetty
- 2015 - API Testing: Developer Tools - Avinash Shetty
- 2015 - WTEU-53 - An introduction to API Testing - Amy Phillips
- 2015 - Some API Testing Basic Introductory Notes and Tools - Alan Richardson
EXERCISES
[3 hours] Repeat the 53rd Weekend Testing Europe session by running some comparative tests on the SongKick API and associated website. SongKick is a service that matches users to live music events taking place near them. Use your web browser to make API requests as you would a website URL. Alongside the links from Amy Phillips and Alan Richardson above, you can refer to the SongKick API and the full transcript of the weekend testing Europe session for guidance. Experiment with locating different test data and using different API requests until you understand how the API functions. Please abide by all terms of use and do not experiment with load or security testing on this API.
[3 hours] Install Postman and use it to test the TradeMe Sandbox API. TradeMe is the leading online marketplace and classified advertising platform in New Zealand. Public, unregistered, access to their developer API is restricted to catalogue methods. Experiment with retrieving information and compare your results against the TradeMe Sandbox site. Please abide by all terms of use and do not experiment with load or security testing on this API.
[3 hours] Explore the Predic8 online REST web services demo using the advanced REST client Chrome extension or PAW - the ultimate REST client for Mac. You will need to install your chosen software and read the supporting documentation for the demonstration REST service. Explore the different functions provided. In addition to retrieving information you should be able to modify data using POST, PUT and DELETE requests. Please abide by all terms of use and do not experiment with load or security testing on this API.
[3 hours] Select an API or web service within your application. Seek out the reference material to discover what requests are allowed. Apply what you've learned through testing the third party APIs to compare the behaviour of your internal interfaces and application. Use the tools you've tried before, or select a different tool to explore. Afterwards, discuss your testing with a developer or another tester within your team, share what you found and ask how this interface is tested now.
[3 hours] Install Postman and use it to test the TradeMe Sandbox API. TradeMe is the leading online marketplace and classified advertising platform in New Zealand. Public, unregistered, access to their developer API is restricted to catalogue methods. Experiment with retrieving information and compare your results against the TradeMe Sandbox site. Please abide by all terms of use and do not experiment with load or security testing on this API.
[3 hours] Explore the Predic8 online REST web services demo using the advanced REST client Chrome extension or PAW - the ultimate REST client for Mac. You will need to install your chosen software and read the supporting documentation for the demonstration REST service. Explore the different functions provided. In addition to retrieving information you should be able to modify data using POST, PUT and DELETE requests. Please abide by all terms of use and do not experiment with load or security testing on this API.
[3 hours] Select an API or web service within your application. Seek out the reference material to discover what requests are allowed. Apply what you've learned through testing the third party APIs to compare the behaviour of your internal interfaces and application. Use the tools you've tried before, or select a different tool to explore. Afterwards, discuss your testing with a developer or another tester within your team, share what you found and ask how this interface is tested now.
STEP - Technical implementation of REST API
Get a deeper understanding of REST APIs by understanding how they are designed and implemented:- 2014 - How to design a REST API - Antoine Chantalou, Jérémy Buisson, Mohamed Kissa, Florent Jaby, Nicolas Laurent, Augustin Grimprel, Benoit Lafontaine
- 2014 - The commoditization of the user interface - Todd Friedrich
- 2014 - REST API application layers - Todd Friedrich
- 2014 - REST API design: Resource modeling - Prakash Subramaniam
- 2010 - Richardson maturity model - Martin Fowler
EXERCISE
[3 hours] Create a set of requests using a REST API within your organisation. Investigate how resources are modeled, e.g. resource URL, HTTP verbs (GET PUT DELETE POST). Talk to a developer or technical lead to check your understanding and ask questions about your REST implementation.
STEP - Security testing APIs
Explore the basics of security testing APIs:- 2015 - How to Hack an API and Get Away with It (Part 1 of 3) - Ole Lensmar
- 2015 - How to Hack an API and Get Away with It (Part 2 of 3) - Ole Lensmar
- 2015 - How to Hack an API and Get Away with It (Part 3 of 3) - Ole Lensmar
- 2015 - WTEU-56 – Security testing for APIs - Dan Billing
EXERCISE
[8 hours] Repeat the 56th Weekend Testing Europe session by investigating the deliberately insecure API for the Supercar Showdown website, which forms the basis of Troy Hunt’s Pluralsight Course Hack Your API First. Alongside the write-up from Dan Billing above, you can refer to the Hack Your API First course materials and the full transcript of the Weekend Testing Europe session for guidance. Alongside the course materials, conduct your own experiments with the different facets of API security.
[3 hours] Apply what you've learned to assess the security of one of your APIs in a development or test environment, not production. Document any vulnerabilities that you discover to discuss with your development team. Talk to an architect about additional protection that is in place in your production environments to prevent attacks.
[8 hours] Repeat the 56th Weekend Testing Europe session by investigating the deliberately insecure API for the Supercar Showdown website, which forms the basis of Troy Hunt’s Pluralsight Course Hack Your API First. Alongside the write-up from Dan Billing above, you can refer to the Hack Your API First course materials and the full transcript of the Weekend Testing Europe session for guidance. Alongside the course materials, conduct your own experiments with the different facets of API security.
[3 hours] Apply what you've learned to assess the security of one of your APIs in a development or test environment, not production. Document any vulnerabilities that you discover to discuss with your development team. Talk to an architect about additional protection that is in place in your production environments to prevent attacks.
STEP - Service virtualization
Discover service virtualization and how it can be used in testing:- What is service virtualization - John Mueller
- 2014 - Hardening Your Application Against API Failures with API Virtualization - Lorinda Brandon
- 2015 - 4 Ways to Boost Your Test Process with Service Virtualization - Bas Dijkstra
EXERCISE
[2 hours] Determine whether any of your test suites use service virtualization. Draw a detailed architecture diagram that reflects your understanding of where services are virtualized and how this has been implemented. Check your understanding with a developer or another tester and make sure you understand the reasons that the tests use service virtualization.
[2 hours] Determine whether any of your test suites use service virtualization. Draw a detailed architecture diagram that reflects your understanding of where services are virtualized and how this has been implemented. Check your understanding with a developer or another tester and make sure you understand the reasons that the tests use service virtualization.
STEP - Introduction to microservices
These articles give an introduction to microservices and share practical experiences from organisations who use them:- 2014 - Microservices - Martin Fowler
- 2015 - Introduction to microservices - Chris Richardson
- 2015 - Delving into the Microservices Architecture - John Mueller
- 2014 - How we build microservices at Karma - Stefan Borsje
- 2015 - Why 2015 will be the year of microservices - Eric Knorr
EXERCISE
[1 hour] Talk to a developer or technical lead to check your understanding of microservices, then discuss the benefits and drawbacks of switching to a microservices architecture.
[1 hour] Talk to a developer or technical lead to check your understanding of microservices, then discuss the benefits and drawbacks of switching to a microservices architecture.
STEP - Microservices testing
Discover how to test in a microservices world:- Testing Strategies in a Microservice Architecture - Toby Clemson et al.
- 2015 - Performance Issue Considerations for Microservices APIs - John Mueller
- 2014 - 8 Questions You Need to Ask About Microservices, Containers & Docker in 2015 - Andrew Phillips
- 2009 - Integration tests are a scam - JB Rainsberger
- 2014 - Throw away your integration tests (slides) - Beth Skurrie
EXERCISE
[1 hour] Demonstrate your understanding of microservices testing by describing to another tester or test lead, in your own words, the types of testing that are possible in a microservices architecture.
[1 hour] Demonstrate your understanding of microservices testing by describing to another tester or test lead, in your own words, the types of testing that are possible in a microservices architecture.
STEP - A broader look at APIs
A brief introduction to API management and APIs within IoT, hypermedia, machine learning, etc.- 2012 - What is API management - A Brief Primer - Navdeep Sidhu
- 2013 - API management platform capabilities - Jeevak Kasarkod
- 2015 - The API is the Invisible Hand Behind the Internet of Things - Jennifer Riggins
- 2014 - Working with Hypermedia APIs - John Mueller
- 2015 - Testing Challenges Associated with Machine Learning APIs - John Mueller
EXERCISE
[1 hour] Talk to a developer or technical lead about the future direction for our API implementation. Discuss how your organisation might be impacted by these ideas, or other innovations.
[1 hour] Talk to a developer or technical lead about the future direction for our API implementation. Discuss how your organisation might be impacted by these ideas, or other innovations.
Nice and very detailed. Will share the link with my team members
ReplyDeleteGreat resource, Katrina, and very timely. Just getting back into this after a long absence. Will be using this at work as well.
ReplyDeleteThank you so much Katrina, very hot topic on client sites currently, I'm sure the team well get a lot of useful info from this.
ReplyDeleteThis is such a good blog. I find I keep coming back to re-read and look for information when testing.
ReplyDeleteJust passed this onto one of my team members. Thanks for a great resource!
ReplyDeleteGreat Blog post. All the information needed to become an API Testing Ninja is available at one place in this post.
ReplyDeleteThis is a great post Katrina. I have one question under the microservice testing topic
ReplyDeleteThrow away the Integration Tests.
It uses Pact and I am currently trying to come up with a POC for pact.
Have you had any experience working with Pact for microservice testing. Is it really a viable solution to integration/e2e tests?
Fantastic. This will be my go-to for all new testers on my team :)
ReplyDeleteAll Web services are APIs but all APIs are not Web services, with Exercise one, if they're looking at cloud/web based apps would there be APIs that aren't web services?
ReplyDelete