Continuous API Testing and Monitoring: Best Practices & Buy-in Guide
Evaluate continuous API testing and monitoring tools to significantly improve API quality, security, and reliability
v2.1 Contents
Four Key API Testing Strategies 4 1. Use Dynamic DDT to Check Entire User Flows 4 2. Ensure API Tests Are Created with Domain Expertise 5 3. Invest in an API Testing Tool with a Modern Architecture 5 4. Adopt a New API Metric: E2E Functional Uptime 5
Four Important API Testing Solutions 6 Solution 1: Solve QA/Testing Bottlenecks with Transparent API Testing 6 Solution 2: Monitor APIs With or Without a CI/CD Pipeline 7 Solution 3: Reuse API Tests as Functional Uptime Monitors in Production 8 Solution 4: Create a Single Pane of Performance Analytics 9
API Testing Automation: Evaluation Criteria 11 Features Evaluation Checklist 11 Conclusion 12
About API Fortress 13
Continuous API Testing and Monitoring: Best Practices & Buy-in Guide 2 Shift-left API testing automation has been increasingly embraced by developers and QA teams as essential to successful agile software development or a CI/CD pipeline. In theory, automated testing early in the lifecycle should reduce costly late-lifecycle QA/testing bottlenecks. Yet bottlenecks continue to plague developers and testers, and the number of undetected API bugs that go live and reach end-users or hackers remains alarmingly high.
$2.8 trillion was spent in the U.S. due to poor quality software (CISQ)
One of the critical issues behind a failure of testing effectiveness at agile organizations involves the complexity of managing the scope and scale of API testing, that is, in striking the right balance between time-to-market and quality-to-market. Companies need to do more testing in less time, but a major roadblock stands in the way - the diverse teams that share in API success tend to work in silos.
Development, QA/Testing, and DevOps teams may struggle to find consensus on which API metrics should be tracked to set KPIs
A core reason for silos in an agile organization stems from the wide gap in priorities and accountability among the teams that own APIs. While developers may be most concerned about delivering a shippable product on time, QA/testing teams may be more concerned about validating whether the product satisfies the user story. Then DevOps or DevSecOps leaders have uptime and reliability concerns that extend beyond the delivery sprint. Banking, financial services, healthcare, and other types of enterprises that deal with advanced API security and compliance issues run into more complications that divide siloed teams even further.
With the right API testing and monitoring tools, agile organizations can bring insight-driven visibility and collaboration to distributed teams. This is needed to set companies on the right path to transform API testing reliability and performance.
This white paper offers a breakdown of recommended API testing strategies along with insights about using the right API metrics to set up more viable KPIs based on our years of experience at API Fortress in working with several of the world’s most innovative retail, banking, financial services, insurance, healthcare, telecom, education, entertainment, and aeronautics/aviation companies. Additionally, this white paper includes a breakdown of best practices for implementing good API testing and monitoring tools.
Continuous API Testing and Monitoring: Best Practices & Buy-in Guide 3 Four Key API Testing Strategies
Prior to agile development, CI/CD pipelines and microservices, UI and Unit testing dominated the testing pyramid. And then, the only essential role of API testing was to verify Test Automation the contract and check for a ping round trip. Now, API tests must effectively act as end- to-end tests that validate entire user stories. UI Tests This new set of strategies (along with new metrics) are needed to determine API testing E2E Testing success. The following “Big Four” strategies have been derived from what we have seen in next-generation approaches to API testing for modern systems with contemporary toolchains and CICD flows. We hope these strategies help leaders of development, QA and testing, enterprise architecture, DevOps, and product teams to better quantify the efficiency and efficacy of their current or proof-of-concept API testing tools.
Strategy 1: Use Dynamic DDT to Check Entire User Flows Modern API testing tools must be able to conduct multi-step integration tests across APIs to check on how well API endpoints work together (the “API flow”). In the real world, APIs use data that is not fixed or prebuilt. It follows that API testing tools should create API testing paths that are unpredictable. The best way to do this is to leverage Data-driven Testing (DDT) from active databases or highly variable (fake) testing data. The goal is to create tests that involve multiple steps, including calling an API that can trigger a sequence of unique API calls in an array. In some cases, testing systems include components that convert databases into APIs to be used as these dynamic APIs. Additionally, modern API testing tools should automate OAuth 2.0 flows to avoid disruption to DDT while also validating SSO and multi-factor authorizations.
Continuous API Testing and Monitoring: Best Practices & Buy-in Guide 4 Strategy 2: Ensure API Tests Are Created with Domain Expertise
While developers can certainly write tests that verify the technical capabilities of the APIs they build, it can be ineffective and/or inefficient for developers to create API tests that also validate the user story. Instead, API tests from developers that simply prove whether an API is working when used correctly can form the basis for more stringent and comprehensive tests written by professional QAs with high knowledge of the problem and solution domains. These holistic tests may include end-to-end integration tests that can check entire flows involving arrays of APIs that may have been built or changed by many different teams. Ultimately, the goal is to leverage one unified test with consistent domain knowledge for proactive and real- time insight about API health throughout constant changes to code and databases.
Strategy 3: Invest in an API Testing Tool with a Modern Architecture Modern API testing tools, in particular, tools that excel at testing APIs in agile development and CI/CD pipelines, must offer a robust set of APIs for plug-and-play integrations with existing and modern DevOps tools. Today, many companies benefit from sending all test results to a best-in-breed analytics platform such as Elastic or Splunk, while delegating notifications to best-in-breed solutions such as PagerDuty or Slack.
Additionally, with modern architectures, API testing tools can evolve along a far more innovative roadmap. If a company is evaluating a number of API testing tools that are divided between unified testing suites that piecemeal together multiple apps/services versus a best- in-breed unified testing platform, the best-in-breed platform is almost always the better choice. Most API owners should avoid vendor lock-in, and future-proof their increasingly agile toolchains for cloud maturity and distributed services.
Strategy 4: Adopt a New API Metric: E2E Functional Uptime On its own, API uptime (an HTTP 200 OK) is an outmoded metric for continuous API quality. Modern API testing tools must go beyond uptime, and simplify validation of the user story by checking the business logic and service layers for problems across functionality, reliability, performance, and compliance as well as potential security vulnerabilities. A holistic verification of these layers allows a good API testing tool to significantly improve on the accuracy and consistency of uptime reporting, particularly, in reducing false-positives and ensuring adequate testing coverage. Testing Centers of Excellence or smaller QA/Testing teams sometimes refer to this new API metric as “Functional Uptime” or “End-to-End (E2E) Uptime.”
Continuous API Testing and Monitoring: Best Practices & Buy-in Guide 5 Four Important API Testing Solutions
Before breaking down the best practices of a good API testing tool, this section provides a framework for how the best practices were selected. The focus of the assessment is geared toward solving four key API testing solutions that are critical for any organization moving from a monolithic stack to distributed services and cloud maturity.
Solution 1: Solve QA/Testing Bottlenecks with Transparent API Testing
63
32
22 23
Plan Build Test/QA Release / Deploy
Most of the costly and time-consuming bottlenecks that hold up software development happen in the QA/testing stage. Insufficient or poor collaboration between technical and product teams (or line of business owners) with poor or no visibility into end-to-end API testing is often at fault. True end-to-end API testing tools tackle this problem by making it easy for stakeholders of all technical and coding backgrounds to work in parallel. Ultimately, the goal is to minimize the risk of falling short of validating the user story without delaying go-to-market.
Another vital aspect of API testing transparency is to ensure that all teams are clear on the scope of testing coverage. Insufficient attention to this detail may result in high numbers of false-positives, which allow malfunctioning APIs to exist in production environments for prolonged periods of time.
Continuous API Testing and Monitoring: Best Practices & Buy-in Guide 6 Solution 2: Monitor APIs With or Without a CI/CD Pipeline
Continuous API Testing and Monitoring in a CI Flow
Developers & QA CI/CD Pipeline Centralized API Testing and Debugging
Repo
Command Line Interface Test E ecution esults I E