API (Application Programming Interface) testing is a type of software testing that aims to determine whether the APIs that are developed meet expectations when it comes to functionality, performance, reliability and security for an application.
The Importance of API Testing
Testing should be employed for three basic purposes – to validate a solution, to maintain a solution, and to eradicate an error.
API is utterly worthless if it can’t be depended upon. Thus, testing to validate the implementation is key.
When testing to maintain a solution, what’s really being tested is the implementation of said solution and all of the results of said implementation. Testing to see whether the API is using resources correctly, whether there are better avenues for data handling, and other such focuses is important.
Eradicating an error, is very specific to a given vulnerability. Memory leaks, insecurity, and other such concerns can be directly targeted with this type of testing.
Types of test to perform with API's are
1. Validation Testing
Validation testing is essentially a set of simple questions applied to the entirety of the project. These questions include:
Product: Did we build the correct product? Is the API itself the correct product for the issue that was provided.
Behavior: Is the API accessing the correct data in the correctly defined manner? Is the API accessing too much data, is it storing this data correctly given the confidentiality and integrity requirements of the dataset?
Efficiency: Is the API the most accurate, optimized, and efficient method of doing what is required?
Functional testing is still a very broad methodology of testing, but is less broad than those under Validation testing. Functional testing is simply a test of specific functions within the codebase. These functions in turn represent specific scenarios to ensure that the API functions within expected parameters, and that errors are handled well when the results are outside of the expected parameters.
3. UI Testing
While both validation and functional testing are somewhat generalized in their approaches, UI testing is more specific. UI testing is exactly what it says on the tin – a test of the user interface for your API and its constituent parts. This test is specifically concerned with the function of the UI, whether that interface is graphical in nature or depends upon command line point calls.
4. Load Testing
Load Testing is a test obsessed with reality. Load testing is typically done after the or the codebase as a whole, testing whether the theoretical solution works as a practical solution under a given load.
5.Run time/Error Detection
This type of test is entirely concerned with the actual running of the API. Whereas most of our other tests are chiefly concerned with the result of implementing the API in an environment or scenario, this test is chiefly concerned with the universal results of utilizing the API codebase.
6. Security Testing
Security testing, penetration testing, and fuzz testing are often launched as three separate components of a greater security auditing process. These types of tests are designed to ensure that the implementation of the API is secure from external threats.
7. Penetration Testing
In Penetration testing, the API is attacked by someone who has limited working knowledge of the API itself in order to assess the threat vector from an outside perspective. These attacks can be limited to certain functions, resources, or processes, or can target the entirety of the API and its constituent parts.
8. Fuzz Testing
In Fuzz testing, massive amounts of purely random data, sometimes referred to as “noise” or “fuzz,” is forcibly input into the system in order to attempt a forced crash, overflow, or other negative behavior. This is done to test the API at its absolute limits, and serves somewhat as a “worst case scenario.”
9. Interoperability and WS Compliance testing
Interoperability and WS Compliance Testing is a type of testing that really only applies to SOAP APIs, and specifically checks for two general fields of function.
First, Interoperability between SOAP APIs is checked by ensuring conformance to the Web services interoperability profiles. By conforming to these guidelines and utilizing these tests, interoperability between SOAP APIs can be confirmed and supported
Secondly, WS-* compliance is tested to ensure standards such as WS-Addressing, WS-Discovery, WS-Federation, WS-Policy, WS-Security, and WS-Trust are properly implemented and utilized.