Under the theme of continuous innovation, Grigori Trofimov, a senior solutions engineer at Parasoft, said the update introduces integrations with generative AI capabilities through LLMs and OpenAI, to build upon the company’s implementations of AI for UI testing, static analysis and API testing, among other things. “Now,” he said, “users can use their own definition files and text-based instructions or natural language instructions,” enhancing the test creation process.

And, he noted, as far as API testing is concerned, the update provides a clean sequence of API calls to work with, so testers don’t have to manually stitch together API calls. All of this, he said, brings new capabilities to SOAtest, the company’s API functional, load and security testing tool. “SOAtest already is that Swiss Army knife, with all the assertions, validations, databanks … everything we’ve built over the last 15 years. And now you have generative AI, so the combination is very powerful.”

Another feature under the continuous innovation banner is improving code coverage around distributed microservices architectures within SOAtest. “The idea here is that you’re testing some components within your microservices deployment, such as API tests, smoke tests, and health checks, but if you’re running regression suites using some external framework, you may not necessarily know what the impact of those tests are,” he explained. “You know you have test coverage, you might have some user stories and features that you’re covering with those tests. But as far as what actual microservices, what actual lines of code are being tested in those, you don’t really know. And you’re not really able to identify gaps or tie those types of tests to any metric, or to any criteria that can tell you you’re doing good testing.”

Parasoft’s introduction to code coverage for distributed microservices supports both Java and .NET microservices, and users can collect data from code coverage on each component, with merged coverage for your system or application as a whole across all microservices, and provide test impact analysis, Trofimov explained. That impact analysis can show that when one microservice changes, for example, the tool can tell which tests are impacted by those changes. The benefit is that if you have a small incremental change in your daily build, you don’t have to wait on the full regression suite, which could take 10 hours, so you can provide quick feedback to developers that if some test doesn’t pass, they can fix it right away.

Accessibility can enhance overall user experience, and in this SOAtest release, Parasoft is introducing a web accessibility scan, which is a tool that can be added to browser-based UI tests to catch accessibility violations. Trofimov said Parasoft adheres to the WCAG 2.1 AA specification. 

Finally, a new feature called Learning Mode is introduced in Parasoft Virtualize that Trofimov said automatically creates virtual services and updates and records data. “A common flow for service virtualization is that you have a real endpoint for a third-party endpoint that is not available in a test environment,” he said. “So you would record traffic and use that traffic to create the virtual asset that mimics the logic of the real service. So we’ve taken that flow and put it into a single checkbox called Learning Mode, so now when you have a real endpoint you need to virtualize, you can just set up the proxy, check the box that says Learning Mode, and starting from that point, it’s going to learn what the real service is doing. And if it finds a match on previous data that needs to be updated, it will update the data automatically.”

Parasoft’s product roadmap, Trofimov said, continues to be very much driven by its customers and partners. In this release, the company is tackling the Kafka protocol for data streaming and event-driven architectures, and is focusing on the Avro data serialization message format. “Our customers have been using our Kafka support and they’ve asked for this Arvo message format as well as Confluent schema registries,” he said. “Both of those together are basically like your JSON Swagger definition but oriented toward Kafka and data serialization.” This implementation is available to both SOAtest and Virtualize customers.

The post Parasoft enhances its Continuous Quality Platform around API testing, virtualization appeared first on SD Times.

This developer-centric tool enables API providers to create personalized landing pages, offering consumers comprehensive resources for easy API implementation. The SwaggerHub Portal integrates with SwaggerHub, a popular API design and documentation tool, as well as Explore, an API client supporting REST and event-driven specifications. 

This integration also allows teams of any size to explore, design, test, and document APIs all in one place, aiming to enhance the developer experience.

“SmartBear is focused on API-first development, helping developers to solve their challenges when it comes to design, documentation, testing, and adoption,” said Sean Butler, vice president of product management at SmartBear. “With a growing number of APIs available, providers need help with discoverability and onboarding. To address this challenge, we are excited to launch these two innovative milestones – SwaggerHub Portal and its integration with SwaggerHub Explore – as we advance toward the SmartBear API Developer Lifecycle platform to deliver the best developer experiences in the industry.”

SlashData found that more than 90% of developers use APIs regularly, with 69% relying on third-party APIs. However, successful API implementation depends on discoverability. SwaggerHub Portal addresses this by enhancing visibility and adoption, enabling providers to easily onboard consumers for a better customer experience.

SwaggerHub’s integration with Portal allows developers to generate documentation from their API designs with zero context switching. This minimizes time to market, making their APIs easy to discover and adopt. Development teams, whether code-first, design-first, or hybrid, can generate documentation from Explore, no longer needing to start from scratch when documenting, SmartBear explained.

The post SmartBear launches SwaggerHub Portal to promote API adoption appeared first on SD Times.

Customers will now be able to create and expose a number of types of APIs from the Gravitee API creation wizard. These include REST APIs, WebSocket APIs, Webhook subscriptions, gRPC APIs, SSE APIs, GraphQL APIs, Kafka topics, MQTT topics and Solace event APIs.

The creation wizard can also now “expose Kafka, MQTT and Solace resources as REST APIs, WebSocket APIs, Webhook subscriptions and SSE APIs,” Gravitee explained.

Customers can also now enforce policies at the message level. These policies can be created in the Gravitee Policy Design studio, which is also new. 

In addition, the company added support for serialization and deserializatiron of information, with validation against target schemas that are stored in specific registries. 

“Our vision for API management is that it becomes a healthy, competitive space where companies can choose from API and protocol-agnostic API gateways and solutions,” said Rory Blundell, CEO of Gravitee. “Today we are advancing the category in a way that gives customers the tools they need to respond to significant business opportunities in real time.”

The post Gravitee adds new API management tools in latest update appeared first on SD Times.

With 70% of respondents to a report expecting to use more APIs in 2023 than last year, this presents a heightened challenge for API security, which only comprises about 4% of the testing efforts at organizations today. 

The 4th annual State of the APIs Report collected insights from more than 850 global developers, engineers, and leaders from across the technology community spanning over 100 countries including the US, the UK, Germany, and India.

The increased API usage is especially prominent in telecommunications, which is projected to rise to 72%, up from 59% last year. This is followed by smaller, yet still considerable, increases in the fields of technology and professional services. 

Mark O’Neill, VP analyst, and chief of research for software engineering at Gartner, correctly predicted in 2021 that by this year, API breaches would be the number one threat vector for web applications. 

“Part of the reason for that is because with mobile and web apps, along with any other type of modern application that you’re using, it all involves the use of APIs,” O’Neill said. 

Gartner research has estimated that by 2025, fewer than half of enterprise APIs will be managed, as explosive growth in APIs surpasses the capabilities of API management tools and “security controls try to apply old paradigms to new problems.”

This vast number of APIs floating around the organization is further complicated by multiple teams building and managing APIs all while using different cloud platforms and frameworks, according to O’Neill. 

“When you have different platforms where your teams are building and deploying APIs, there’s no one place to put the gateway, which is a problem for traditional API management solutions,” O’Neill said. 

To secure this wide API landscape, many companies have put up multiple gateways, which means that now there are more gateways in front of APIs, but it created a new problem of learning how to manage all of these gateways together. 

“Many clients have asked us for a federated solution that would work across different API gateways and allow teams to have a single picture of their API traffic and to have a single control plane for management and security, but at the moment, that is a gap in the market,” O’Neill said. 

A single federated solution would allow users to set up authentication and authorization schemes across different APIs, ensuring that only the right users have access to the right resources. It also enables administrators to set up rate limiting and other security measures, such as IP white/blacklisting, to protect against malicious attacks. 

With such a solution, teams would also gain visibility into API performance and usage, allowing teams to identify and address potential security issues quickly.

A hodgepodge of APIs in use

The other problem APIs present for API management solutions is that there are many different types of APIs in use.

The API jumble often consists of REST, Webhooks, Websockets, SOAP, GraphQL, Kafka, AsyncAPIs, gRPCs, if not more. 

“If you look at a typical organization that has deployed API management, they may believe that all of their APIs are being managed on one platform,” O’Neill said. “But typically, there are a lot of other APIs that they have that are part of web applications, part of mobile apps, and they’re not managed, they’re effectively under the radar for that organization. And these are the ones that get breached.”

The APIs to watch out for in particular are GraphQLs, according to O’Neill. Users can do very wide and deep queries on data, which can also be their downside because it’s difficult to set up proper access control rules. The complexity of the query can make it hard to predict what data will be accessible. 

Additionally, the use of variables in queries can make it difficult to prevent malicious users from exploiting the API. GraphQL APIs are often stateless, which means that security teams need to ensure that all requests are properly authenticated and authorized. These types of APIs are also new so many organizations are just building up their security teams’ skills around GraphQL and graph APIs in general. 

Another challenge is to consider where all of your APIs are coming from. 

While internal APIs were still the most common API type developers reported working on for their organization, more developers in 2022 reported working on partner-facing or third-party APIs than the year prior. In addition, the SaaS applications that developers utilize also often use their own set of APIs. 

The percentage of developers who reported working on partner-facing and third-party APIs grew by almost 5% in 2022 compared to 2021, according to the 2022 State of the API report. This change was even more dramatic with partner-facing APIs in industries like technology, which grew by nearly 10%.

One hotspot of security issues tends to be around the APIs that require access to data: customer data, preferences, and all sorts of account information. Issues also surround APIs that run a function to do something because often that requires a transaction, so payment information might be at risk, O’Neill said. 

“One is the whole area of loyalty cards where you get points for making purchases, traveling, and so on. Those involve many APIs. So you have an API to look up how many points a certain person has or you have an API to spend the points. We’ve seen security breaches where attackers have been able to find people who have accrued many points and then spend those,” O’Neill said. “Often the person is not aware, because they simply were not aware that they were running up all these points in the first place, and then they’re not aware when they get spent.”

Best practices for API security

The first step for ensuring API security is to catalog all of the APIs in the organization and to have an inventory. Often, companies only look at their existing API gateway to see what APIs are registered there, but even multiple gateways don’t paint the complete picture, O’Neill explained. 

“The way that we advise people to do this is to see what APIs your business depends on,” O’Neill said. “So those of course can be your own APIs, but they can also be important to APIs that you’re consuming from third parties as well. It’s going to be a problem if those APIs suffer a security breach, if they are unavailable, or if they are just simply changing and creating breaking changes. So API discovery is a hard problem because you have to look in multiple places for the APIs.” 

One approach is to simply ask the internal product managers who are then speaking to engineering leaders about what APIs the teams are building. 

There are also some solutions on the market that enable users to tap into application firewalls in the infrastructure at the CDN level to look at the traffic and see what API calls are happening. 

“That approach can in many ways be too late because those APIs that you’re discovering are already in production. But still, it’s better than not discovering them at all,” O’Neill said. 

Using APIs to increase security

By collaborating with APIs, organizations can become more secure as a whole. One such example occurred in the Open Banking Initiative that started in Europe but has since spread in popularity to North America.

The Open Banking Initiative began in January 2016, when the Competition and Markets Authority (CMA) in the UK issued a directive ordering the country’s nine largest banks to open up their customer data to third-party providers.

Since then, it has become valuable because it has allowed financial institutions to create Open APIs that outside organizations and their third-party developers can leverage, according to MuleSoft in a blog post. 

Rather than opening up the APIs to attack, the initiative enabled a secure form of data exchange that accelerates collaboration with outside organizations and has decreased the risks associated with screen scraping, a technique used by programs to extract data from the human-readable output of a computer application. 

Screen scraping is insecure because it requires customers to provide third-party aggregators with login credentials and it also pushes significant traffic to servers with every “scrape.”

Open Banking initiatives offer financial institutions the opportunity to safely collaborate with third-party developers through APIs. Unlike screen scraping, this secure data exchange is API-enabled and does not strain or overload servers. 

Market forecast for 2023

Cyberattacks and data breaches don’t pause with an economic slowdown. When prioritizing security investments, security leaders should continue to invest in security controls and solutions that protect the organization’s customer-facing and revenue-generating workloads, as well as any infrastructure critical to health and safety for those organizations in industries such as utilities, energy, and transportation, according to Forrester in its Planning Guide 2023: Security & Risk.

“API-first is the de facto modern development approach, and APIs help organizations create new business models and methods of engagement with customers and partners. However, security breaches due to unprotected APIs and API endpoints are common and no single type of tool fully addresses API security,” the guide states. 

API management tools address authentication and authorization issues, while API-specific security tools are used for scanning and discovery. Additionally, some security tools extend further to provide runtime protections and microgateways to protect against API attacks. Traditional security tools such as WAFs and bot management solutions are also expanding to cover these attacks, the report added. 

Gartner’s O’Neill said that he is seeing large vendors take steps forward in providing strong API protection and are acquiring some of the smaller specialist vendors that have come along for API protection as well. 

According to the 2022 State of APIs report, 69% of developers said that they expect to use APIs more in 2023 while 25% said that they expect about the same. Only about 6% stated that they expect less or they didn’t know. 

The post Time to hide your API appeared first on SD Times.

A key feature of the release are the platform-specific locators for Salesforce and Guidewire low-code development environments. According to the company, this will help ensure the testability and quality of applications. 

“As organizations accelerate their digital transformation to leverage enterprise platforms and cloud technologies, they need confidence that their applications will continue to run smoothly and provide a positive user experience. Automated testing helps them ensure they cover all the bases for unit, API, and UI levels at speed. Smart companies choose the Parasoft solution to make sure they can meet their business and technical goals,” Richard Sherrard, vice president of products at Parasoft.

The company’s portfolio also includes:

• SOAtest, which is designed to automatically capture underlying API traffic and leverage artificial intelligence to convert the traffic into API tests
• Selenic, which aims to validate end-user experience with AI-powered self-healing and recommendations for UI tests
• Virtualize and CTP, which uses simulated services and APIs to test interactions earlier in the development process. 

The post Parasoft enhances API and UI testing with 2020.2 release appeared first on SD Times.

“With over 95% of API vulnerabilities caused by human error or functional error, it’s very important to functional test all APIs prior to release, and then monitor them with the same functional tests. As more companies accelerate releases and incorporate automated CI/CD pipelines, detecting and fixing functional errors before they are released is more important than ever,” said Patrick Poulin, CEO and co-founder of API Fortress. 

Other features of the new release include the ability to import OpenAPI or Swagger spec files and generate a large number of functional tests. 

Snyk raises money for developer-first security 
Snyk announced a $150 million investment round, bringing the company’s total investment to $250 million and valuation to $1 billion. According to the company, the new investment will be used on advancing developer-first security as well as security organization’s digital transformation efforts. 

“This investment accelerates Snyk’s significant momentum in transforming the way application security is approached and delivered in software-driven enterprise organizations,” said Peter McKay, Snyk CEO. “With rapid 2019 revenue and customer growth from both individual users and scaling development teams, we are seeing the market embrace developer-first application security to help tackle the increasing cybersecurity concerns that come with digital transformation.” 

The latest investment was led by Stripes and included other investors such as Accel, Coatue, Tiger Global, Boldstart, GV, Canaan, Trend Forward, Amity and Salesforce Ventures.

TestProject and Sauce Labs team up on codeless test automation
The new end-to-end automated testing experience will cover test creation, execution and analysis. According to the companies, the solution will leverage TestProject’s codeless test creation services and Sauce Labs’ continuous test execution services. Together, the companies will be able to create, store, execute, and analyze automated tests across a wide range of browsers, operating systems and devices. 

“Shifting workloads to the cloud is consistently ranked as one of the most important initiatives on a CIO’s agenda, and testing is an increasingly important focus,” said Kevin Dunne, general manager of TestProject. “The combination of TestProject and Sauce Labs is a powerful one for organizations looking to ease the onramp to automation through codeless test creation and develop a continuous testing strategy consistent with CI/CD best practices.”

HCL Technologies to focus on Microsoft technologies
The company announced a dedicated HCL Microsoft Business Unit that will extend Microsoft’s offerings and help employees do more in the modern workplace. In addition, the business unit will provide support for clients in financial services, healthcare and life sciences, manufacturing, retail and travel industries. 

“The HCL Microsoft Business Unit is the next phase to bolster HCL’s successful and long-standing relationship with Microsoft. Increasingly, customers are making bold strides, incorporating IoT solutions with machine learning for analytics, running this solution in the public cloud and supported by CRM,” said Kalyan Kumar, corporate vice president and CTO for IT Services of HCL Technologies. “This business unit combines HCL’s specialized services and global reach with Microsoft’s powerful cloud and business technologies, making a strong and unique offering for clients. These offerings are coming at a critical time when enterprises are aggressively implementing digital technologies for competitive advantage. Spearheading the HCL Microsoft Business Unit is Don Jones, who brings 20+ years of Microsoft experience, having created numerous successful solutions and go-to-market campaigns with Microsoft, and we’re confident in his ability to successfully lead this initiative.”

The post SD Times news digest: API Fortress’ Mass Functional Test Generation, Snyk raises $150 million, and TestProject and Sauce Labs’ codeless test automation plans appeared first on SD Times.

That, in its most elemental definition, describes Parasoft’s new tool for UI testing. Called Selenic, the tool rounds out Parasoft’s test offerings, from unit testing to API testing up to the user interface.

Selenic monitors Selenium tests, discovering errors in the user interface, making remediation recommendations into a developers’s IDE and doing its own self-healing right in the integration pipeline. The tool is in beta testing now and Parasoft announced a pre-release today at the STARWEST testing conference in Anaheim, California.

RELATED CONTENT: Testing all the time

Parasoft created Selenic after asking customers how they test their UIs, to see what it could do to leverage customers’ existing UI test practices. According to Mark Lambert, vice president of product management at Parasoft, the company didn’t realize how big Selenium is, with 64 percent of organizations responding to their survey saying they use or are moving to Selenium. Another 7 percent use open-source frameworks or custom tools, and 14 percent are doing manual testing. The remaining 15 percent use commercial tools — Tricentis, SmartBear and Parasoft’s SOAtest with its UI testing capabilities. 

The open-source Selenium project is 15 years old, and there are those who say it wasn’t built to solve the problems that today’s new architectures present. But, according to Max Saperstone, director of software test automation at consulting company Coveros, companies have been looking to replace Selenium with their own tools for years and have not seen significant traction to do so. “Yes, there are some problems [with Selenium], and there are some tools trying to fix some of them,” Saperstone said, “ but it’s more in the underlying way that people are trying to do automation than the tools themselves.” People, he has observed, are not using Selenium correctly for test automation.

“It really is a matter of, a mentality shift, from going from ‘Hey, I can’t just take my manual tests and automate them.’ That’s not the right way to be doing automation,” Saperstone said..” You need  to put more thought into it. The reason that there’s all this maintenance time that I’ve seen in the field is because people take this one- or two- or sometimes 10-page long test case and they convert that directly into Selenium. And then they say, well I have 1,000 different steps I just went through and so I have to maintain all of those. But if the second one breaks, those other 998 I never even get to and so I have no idea if they actually work or not.” 

Other challenges to doing UI test automation are creating reliable locators and wait conditions, maintaining tests after UI changes, discovering and debugging automation failures, the test suite execution time, and the knowledge and skills to create scripts. These are the issues Parasoft is looking to address with Selenic. 

“A lot of these web applications have dynamic elements within them, with dynamic internal IDs, and it’s difficult to figure out how to correctly locate the element on the page,” Parasoft’s Lambert explained. Next, he added, “is handling the maintenance of your test suite when the UI changes. Changes to the UI — the move of a button, the change of label — can have significant roll-on impacts to the test suite, and to be able to update those tests in a short period of time was very challenging.”

Selenic is built using the Page Object Model, which is a design principle for creating Selenium tests. Chris Colosimo, product manager at Parasoft, explained: “You have your script, and as it traverses your application, it’ll click on buttons, inputting in the fields — each one of those elements represents on a page of your application. In the Page Object Model, the way you write your Selenium tests is you build these pages as objects and then on each individual object, you reference all your buttons. You can define where a button on a page is once and use it multiple times in your application. It just makes maintenance much easier.”

Saperstone said, “Developers are going to change their locators, and testers don’t find out until it dumps into the pipeline, or until it’s even handed over to them, and it’s kind of just blind guessing… why don’t my tests work anymore? What did they change? I spent weeks and months working with some organizations just trying to get the developers talking to testers so it doesn’t happen all the time. I still believe that’s the ideal solution — communication between the teams. [Selenic] does in fact make it so that when that does happen, it’s not this ‘we don’t know what’s broken; I have to do a lot of this analysis.’  It just kind of did this nice self-healing of the broken locators, which again is fairly cool, I would say some of the products I’ve worked on, I’ve literally spent half of the maintenance time to put in to keeping scripts up to date literally just updating locators, which is an awful and tedious thing to have to do”.

In a demo, Colosimo showed Selenic monitoring a Selenium test and found that a test failed due to a bad locator. Selenic captured a screen shot to show where the test failed; something was wrong with a field. Selenic’s Smart Selenium Testing feature, which uses AI for test stability and maintenance, makes a recommendation on how to fix the test. It turns out the test failed because a button could not be clicked upon, and the recommendation was to update the locataor in Selenium with another specific locator, that, Colosimo said, had “a 96 percent confidence factor that says these are the correct locators to use.” 

He explained that the AI engine used analysis of previous test success to construct a new, smart locator, and prioritizes suggested fixes. Those recommendations, Colosimo added, can be imported directly into the IDE — Eclipse in this instance — and take you right to the line of code to make the change. Selenic, though, can self-heal the Selenium code in the JVM at runtime, selecting the best locator and swapping it out so the test doesn’t fail, allowing developers to validate the application without losing the time to make the fix.

Lambert said that Parasoft has enhanced its recorder to capture actions against the UI directly from the browser. “The self-healing stops the nightly build from breaking unnecessarily; the AI recommendations help you maintain and enhance the test case, cutting down your maintenance time by 20 percent,” he said. “These are two primary value propositions with Selenic.”

He went on to say that, “What’s important is, that object model is the way you create more maintainable tests. As we create additional recordings, we add that to the Page Object Model, so we’re not creating scripts to run in isolation. They’re actually reusing the same object contacts, and that’s really the value of the Page Object Model.”

Colosimo noted that Selenic enables users to get to the code when it’s needed, describing why Parasoft eschewed the scriptless approach. “The reality is, every UI is different… the widgets, the pulldowns. In 80 percent of the applications out there, at some point you’re going to have to do something complicated. By having direct access to code — Selenium code and a massive Selenium community — it almost becomes easier to use than the scriptless approach, because you can know what to do when you get stuck.”

Coveros’ Saperstone commended Parasoft’s positioning of Selenic as a complement — not a replacement — for Selenium. “ A lot of companies I work with, it’s all about, ‘Stop using Selenium, and migrate over to our tool. Use our stuff.’ And, if you don’t like it, it’s kind of too bad,” he said.” All of your code is now with us. That’s one of the really cool things about Selenic. You just add it as another command-line parameter to whatever you currently have going, as long as it’s Selenium and Java. If you want to stop using it, great. Your tests still work, you just no longer get that one piece of functionality, that’s providing locator healing, etcetera. So you don’t have to make this huge investment in order to get the benefits. That I think is one of the most unique things about it, because most tools are all about, well, let’s get you over to use our software, which is more retention-based than anything else. For me, as someone who loves using open-source tools, that’s a little bit frustrating.”

Selenic will be on a four-times-per-year release cycle, Lambert said, with a 2019.1 release due Oct. 31, and a 2019.2 release  set for Dec. 19. In mid-Q1 next year, 2020.1 will be released.

The post Parasoft rolls out Selenic UI automated test tool appeared first on SD Times.

APIs have helped to share data efficiently across various ecosystems, have opened up new opportunities for companies to better serve their customers, and have continued to foster innovation. In fact, the Open API specification was formed in 2016, to help clients understand and consume services without knowledge of server code more seamlessly; thereby increasing efficiency. In summary,  API’s are the glue that binds systems together and it is here to stay.

APIs are a set of commands, functions, and protocols that programmers use to interact with an external system. They provide developers the ability to tap into different programs and perform different operations without having to build the program from scratch. 

RELATED ARTICLES:
APIs help developers do more with less
Debunking the API revolution

The biggest advantage of APIs is the level of abstraction they provide by exposing only the data that are needed to communicate with another system. For example, Google’s Maps API is used by number of organizations to provide Google Maps support instead of companies having to build their own maps application. The same holds true for Mint, the finance app that connects via APIs to different banks to fetch the required customer data. 

How do APIs work?
On a high level, API communication is a three-step process:

• Step 1 — A client/application sends an API request to the server The request contains an API key to uniquely identify the sender
• Step 2 — The request then goes to a server and the API key gets validated to ensure the sender is credible
• Step 3 — Based on the validation, a response is sent back to the client/application

REST and SOAP are the most commonly used API paradigms. REST (Representational State Transfer) is an architectural style that defines a set of constraints for creating web services. SOAP (Simple Object Access Protocol) is a protocol that defines the way structured information is exchanged within web services. There are considerable differences between the two and each one has its own advantages and disadvantages.

Testing APIs
In the past, APIs were developed on an ad hoc basis; it was acceptable to leave them to be vetted and tested by developers alone. However, now APIs can be seen as a separate product offering in and of itself that support a company’s strategic vision; therefore, a more robust approach to testing APIs is required.

The main questions to consider as part of API testing include:

• Is the API public-facing or internal? 
• Is it necessary to integrate with components outside the system or application?
• What are the endpoints and value types? 
• Where is the data coming from? Can the data be accessed freely or is some sort of key or authentication required?
• How will you verify the expected result? How will it be determined if the API performed as intended under the specified circumstances or scenarios?
• Is the API logic simple or is it more sophisticated; with dependency-based decisioning?
• Under what conditions is a site, app, or function most likely to fail?

In addition to the above considerations, API testing should not be limited to just making a few ‘Get’ and ‘Put’ calls to verify that the values are returned as expected.  Developers tend to limit their unit tests to this type of straightforward verification. With APIs, testers need to be especially attuned to not only individual functions, but also the end-to-end sequence of events, calls, responses, and downstream events. At the very least, the most common and basic scenarios to test are:

• (GET) Results are returned as expected
• (POST) All parameters are passed and/or received as expected
• (PUT) Inputs are correctly captured and stored
• (DELETE) Deleted data is cleared from the database
• Error messages are meaningful and returned as expected
• Triggers for downstream events occur as intended
• For security, testing should also include scenarios for controlled access, authentication, and encryption

The above scenarios can be mixed and matched and in many ways. Also, just like automated tests for functional testing, API tests can be automated as well; to get faster feedback and adequate API testing coverage. 

API testing is a vital part of the overall testing strategy. It should cover three primary aspects: connectivity, response, and performance.

1. To test connectivity, simply make a call to the API using its URL. If a 200 response is returned, the API is connected. If no response is returned, or a connection failure error is returned, then connectivity failed; which means that the request was not received by the server.
2. It is important to ensure you get back the correct responses for different API requests. The validation includes looking for the correct values to be returned in the response along with the appropriate status code. The values returned are specific to the type of API that is implemented but in terms of status codes. Below are some commonly validated status codes in API testing:
   • 400 BAD REQUEST – Generic error that is returned when no other 4xx status code is appropriate. Domain validation errors, missing data and improper API requests are some examples.
   • 401 UNAUTHORIZED – Error code response for missing or invalid authentication token.
   • 403 FORBIDDEN – Error code response when the user is not authorized to perform the operation 
   • 404 NOT FOUND – Used when the requested resource is not found, it doesn’t exist or if there was a 401 or 403 error and for security reasons, the service masks it as a 404 error
   • 409 CONFLICT – Response for resource conflicts, for example, duplicate entries are found or trying to delete root objects when cascade-delete is not supported
   • 500 INTERNAL SERVER ERROR – This error code is returned when the consumer cannot identify the exact error from their end. It is a general catch-all error when the server-side throws an exception. 
3. An API’s performance can be said to be its most valuable feature. Each time an API request is made the response needs to come back in a matter of milliseconds. Also, depending on the application, thousands if not millions of API requests can be made, as in the case of Facebook, Google and Twitter. This being the case, the APIs should be able to handle large amounts of load without failing. If it does not have fast response times and unable to handle load amounts of request; the API is pretty much worthless. 

Also, It’s not just about the number of users that an API can handle, but also about how efficiently does a given API perform? How many additional web service calls are getting generated or how many times is it hitting the database? 

These are the types of questions that must be answered for an API to be ready to perform in the current marketplace.

The post 3 critical aspects of API testing appeared first on SD Times.

Some are choosing continuous testing, while others are automating their tests. Some are writing tests first and then writing code to pass the test, while others write code based on the desired behavior of the application, and then test to make sure the app is doing what is was intended to do. Still others are employing service virtualization,to ensure the components and APIs their applications need are reliable.

The companies are asking themselves about the amount of risk they’re willing to take when their applications go live.How do organizations decide which path to take? Are they trying to test during sprints? Are they convinced that manual testing is the only way to be certain the software meets their level of quality?

The SD Times Testing Showcase has been put together to give our readers a look at the many offerings on the market to help them address their testing challenges and align their testing with the rhythms of their software development life cycle.

So no matter which direction you’re heading with your testing — standing pat is not an option — we’re sure you’ll find something from the following providers to help you to your future of testing.

Micro Focus on the growth of intelligent testing
Choose Mobile Labs for Appium success
Parasoft simplifies API testing
Tricentis Continuous Testing platform

The post The 2018 SD Times Software Testing Showcase appeared first on SD Times.

“Developers and testers spend a lot of time talking about what an API should do and how to test it.  Then, as soon as there’s a change, they have to have the whole conversation again,” said Chris Colosimo, product manager at Parasoft.  

Meanwhile, more organizations are decomposing monolithic applications into microservices.  Developers are expected to know what the associated APIs do and how to use them, which becomes more difficult with scale.  For example, one Parasoft customer was managing 250 to 300 unique APIs just a couple of years ago. Today it’s managing 2,000.

“The developers were in constant training mode, explaining to each of the individual testers this is what the API does, this is how it works, this how you should test it, and this is how you can understand it,” said Colosimo.  “All of that goes out the window as soon as there’s change.”

In fact, test maintenance has become so costly for some organizations that they’re questioning the ROI of automated testing.

“Test maintenance kills you if you’re doing it wrong,” said Arthur Hicken, evangelist at Parasoft.  “When people say automation isn’t working, it’s almost always a maintenance problem.”

Forrester recently named Parasoft a leader in its 2018 Forrester Omnichannel Functional Test Automation Wave based on its innovative use of AI and machine learning.  

Introducing SOAtest Smart API Test Generator
Most API testing tools provide a place to create API tests, but it can be difficult to understand which APIs to test and how to piece them all together into a meaningful test scenario.  SOAtest Smart API Test Generator monitors how testers are interacting with an application in a non-disruptive way. From that, it extracts out relevant test scenarios.

“We capture the interaction between the application and the backend services and then leverage artificial intelligence to then extract out relationships and patterns in that interaction,” said Colosimo.

SOAtest users can then build a comprehensive API testing strategy.  The product includes visual tools and testing artifacts can be easily shared between development and testing teams.

Right now, a lot of teams favor UI tests over API tests because they’re the easiest to associate with requirements and non-technical users can understand them.  However, API tests reveal the component-level interactions with the application which accelerates defect resolution.

Knowing how individual APIs work isn’t enough, because the limited view doesn’t provide insight into how a particular application will order APIs or how APIs behave when they interact with other APIs.  

“You may have hundreds or thousands of APIs. You might get something to happen if you get them in the wrong order, but if you want something meaningful to happen, you have to get them in the right order,” said Hicken.  

A healthcare company recently slashed the time it takes to build API test scenarios in half using SOAtest.  Its situation was complex because it was simultaneously adding new brokers, consolidating systems, and ensuring that all doctors and providers could be found under their respective areas of specialty regardless of the insurance companies involved.  The developers integrated all of those connections in a week, then the testers were told they needed to identify those connections which they were able to do swiftly with API Test Generator.

Change Advisor automatically updates API tests
Parasoft Change Advisor collects information from all the API tests to identify how APIs have changed.  Users can create templates that automatically apply the changes across all relevant tests.

“When you build scripts you don’t want to lose all the work you’ve done,” said Colosimo. “Change Advisor takes the existing test and updates it, so it automatically works with the new API version.”

For example, a simple API update that changes a label from “price” to “cost” can be aggregated across tens of thousands of tests, automatically.

“This is really important because if I have 100 testers on my team, when changes take place I need one individual to come in, make the change, and then apply that to all the test cases,” said Colosimo.  “SOAtest Change Advisor handles the changes automatically. It’s quick, cost-effective, and more accurate.’

Learn more at www.parasoft.com.

The post Parasoft simplifies API testing appeared first on SD Times.