Beyond 200 OK.pptx
- 1. Beyond 200 OK for your APIs
- 2. hello! I am Pricilla Bilavendran I am here because, I love to talk about APIs and spreading API literacy among Test engineers!! 2
- 3. What you can expect for today? ▣ Introduction to the API World ▣ Deep dive into API Testing ▣ Security Testing aspects for your APIs ▣ Performance Testing for your APIs ▣ API Automation repertoire ▣ Q&A 3
- 4. 1. APIs, APIs & APIs… The API Revolution 4
- 5. Few Interesting stats about APIs ▣ 90% of Developers are using APIs by some means ▣ 91% of Organizations had API Security Incidents in 2020 ▣ Open Banking predicted to have 130 Million Users by 2024 ▣ 93.4% of API Developers are still using REST ▣ 65% of companies are accelerating digital transformation after pandemic Source: Nordic APIs dated, Feb 2022 5
- 6. What is changing (changed)? 6 Source: Freepik.com
- 7. 2. Deep dive into API Testing Aspects of API Testing 7
- 8. “ API Testing is no more a luxury, it’s a necessity - Pricilla Bilavendran 8
- 10. ▣ Validation Testing ▣ Functional Testing ▣ Integration Testing ▣ Security Testing ▣ Performance Testing ▣ Reliability Testing ▣ API Documentation Testing ▣ Regression Testing 10 Types of API Testing
- 11. 3. API Security Security is someones’ everyone’s responsibility 11
- 12. “ Confirmation of the user's identity, authentication, and session management is critical to protect against authentication-related attacks. - OWASP 12
- 13. ▣ API1:2019 Broken Object Level Authorization ▣ API2:2019 Broken User Authentication ▣ API3:2019 Excessive Data Exposure ▣ API4:2019 Lack of Resources & Rate Limiting ▣ API5:2019 Broken Function Level Authorization ▣ API6:2019 Mass Assignment ▣ API7:2019 Security Misconfiguration ▣ API8:2019 Injection ▣ API9:2019 Improper Assets Management ▣ API10:2019 Insufficient Logging & Monitoring Source: OWASP 13 Top 10 vulnerabilities for APIs
- 14. API Security Testing ▣ To add Security testing as part of your API Testing ▣ Pay attention to the error codes/messages ▣ Prioritize the Role Based scenarios ▣ Proper Authentication/Authorization ▣ Continuous Monitoring ▣ Understanding the known vulnerabilities ▣ It’s a continuous process… 14
- 15. Bonus Tips to Secure your APIs ▣ Data Encryption ▣ Digital Signatures/Certificates ▣ Conducting Legal Audits ▣ Retire the old/unused versions of APIs 15
- 16. 16 Twitter Hack 2020 Twitter accounts of Joe Biden, Amazon CEO Jeff Bezos, President Barack Obama, Tesla CEO Elon Musk are hacked Source: Wiki
- 17. 4. API Performance Are they performing enough? 17
- 18. 18
- 19. “ The rabbit runs faster than the fox, because the rabbit is running for his life while the fox is only running for his dinner. - Aesop (Greek fabulist) 19
- 20. Why Performance Testing? ▣ APIs decides the overall application performance ▣ Stability, Scalability & Speed ▣ Customer gratification 20
- 21. How to measure the API Performance? ▣ Response Time ▣ Uptime/Availability ▣ Requests Per min ▣ Latency ▣ Errors 21
- 22. Need of an hour!! API Tests Automation 22
- 23. How to? 23 1 3 5 6 4 2 Identify the end-points and categorize Write tests to cover different aspects Integrate with CI/CD pipelines Use parameters and chain the requests based on the scenarios End-to-End Test Suite Run in the required frequency and report the deviations
- 24. Merits of API Automation Efficient APIs Helps to create high quality APIs Cost minimization Finding potential defects at early stages Increased Coverage Covering the positive, negative, security and performance tests Helps other stakeholders Developers and other related business owners can also execute the scripts Avoids Manual Errors To some extent few human errors can be avoided Easy to maintain Integration with the CI/CD pipelines, parametrization etc. helps to maintain the scripts easily 24
- 25. 25 Recap… ▣ APIs are the new normal ▣ To involve different types of API Tests ▣ Watch out for the vulnerability lists from OWASP ▣ Good APIs build good performing applications ▣ API Automation is a holistic process
- 26. Thanks! Any questions? You can find me at @pricillabelwin 26
- 27. Credits Special thanks to all the people who made and released these awesome resources for free: ▣ Presentation template by SlidesCarnival ▣ Photographs by Unsplash 27
Editor's Notes
- #2: Getting 200 OK is fine, but we need to focus on things beyond that. Few other aspects of the APIs
- #4: We are all into it already We do API Testing in most of the organizations, but are we doing it enough API automation is crucial in current trend
- #6: Open Banking is a system that provides third-party access to financial data using APIs
- #7: Remote work culture Food delivery apps, groceries and medicines Payment can be done in milliseconds around the globe All these are possible with the microservices architecture. And then run using the API calls
- #9: Start drifting towards shift left
- #10: What should you actually test?
- #11: Basic check or the happy path of the API, immediately after the development Functionals Tests: Contract, component and scenarios/flows. Here we will cover the extended positive flow, negative flow and some deeper negative testing trying to break the API Multiple endpoints/system APIs Security: Penetration and Fuzz Performance under different loads How reliable are your APIs? Manual book After defect fixes, add your regression suite to ensure the API behaviour
- #13: The Open Web Application Security Project (OWASP) is a trusted nonprofit foundation that publishes software security analysis.
- #14: In 2019, they released an API security vulnerabilities list as well. As the value of APIs increases in our daily lives, these touchpoints become more vulnerable to attack. Let’s see OWASP top 10 API security vulnerabilities list. Getting to know about these vulnerabilities is the first step towards improving the security for your APIs. Broken Object Level Authorization: Accessing objects which you are not supposed to view. User id: 59 User Id: 60 Broken User Authentication: Able to sign-in using Invalid/wrong passwords, expired tokens. Focus areas are account creation, sign in, forgot password Excessive Data Exposure: Unwanted sensitive data exposed in the request body or response Lack of Resources & Rate Limiting: Overloading server, memory and CPU usage. Restrict using limit counts (if you are not restricting for upload then it could crash the server resources) Broken Function Level Authorization: normal users accessing privileged or admin resources, because I am already authenticated Mass Assignment: Just because an endpoint isn’t publicly documented does not mean developers can’t access it. Hackers can easily intercept requests and reverse-engineer a private API. whether you are able to pass on the additional tags or values along with the request body. Security Misconfiguration: Whether sensitive data stored without encryption, if the error message is returning any secured or protected data Injection: Feeding API with the malicious data, SQL Injection. They might erase some data Improper Assets Management: API documentation, API Versioning (any security bugs in the previous version might left unnoticed, so always retire the old versions if unused) Insufficient Logging & Monitoring: Ensure the proper logging, monitoring and alerting, attacks can't be traced.
- #16: Data should be encrypted while travelling and while resting
- #19: https://en.wikipedia.org/wiki/Google_services_outages