API management
Session 11am to 12pm
modernizing the exterprise throu apis
api management
modernize how we do our business
big problem breaks it into quarter chunk of sub projects
JQuery datatables
need api delivery, security, management and discovery
api gateways solve problems like:
authentication
authorization
auditing
caching
ratelimit
conversion json
routing
queuring
threat protection
high performance policy enforcement/decision point
api gateway guards servers with a reverse proxy model
bridge identifites: oauth1.0, oauth 2.0
Apple Push Notification (APN) service
XMPP Connections
oauth/open id connect
ios and android authorization sdk
websockets
xmpp
apple push notification service APNS
google cloud notification
CA mobile access gateway (MAG) for native and phonegap
ca api developer portal
ca api gateway - policy manager
http://www.soatothecloud.com/2013/09/scaling-api-delivery-using-cloud-based.html
http://www.slideshare.net/patrickbouillaud/introduction-to-ibm-api-management
http://www.jmeotto.com/Solutions
https://kaustavdassoa.wordpress.com/2013/08/01/oracle-api-gateway-vs-oracle-xml-gateway/
http://www.slideshare.net/wso2.org/ap-is-and-beyond
http://katrinatester.blogspot.com/2015/09/api-web-services-microservices-testing.html
TUESDAY,
8 SEPTEMBER 2015
API, Web
Services & Microservices Testing Pathway
This pathway is a tool to help guide your self
development in API, web services and microservices testing. It includes a
variety of steps that you may approach linearly or by hopping about to those
that interest you most.
Each step includes:
▪
links to a few resources as a starting point, but you
are likely to need to do your own additional research as you explore each
topic.
▪
a suggested exercise or two, which focus on reflection,
practical application and discussion, as a tool to connect the resources with
your reality.
Take your time. Dig deep into areas that interest you.
Apply what you learn as you go.
▪
STEP - Distinguishing APIs and web services
An API (Application Programming Interface) is the means
by which third parties can write code that interfaces with other code. A Web
Service is a type of API that:
o is used
to exchange data between applications,
o uses a
standard defined by W3C,
o has an
interface that is depicted in a machine-processable format usually specified as
a WSDL (Web Service Description Language), and
o almost
always operates over HTTP.
Example
web service protocols include SOAP, REST, and XML-RPC. An example of an API
that is not a web service is the Linux Kernel API, which is written in C for
use on a local machine.
References: API vs Web Service, Difference between web API and web
service, Difference between API and web
service
o 2013 - What APIs Are And Why They're Important - Brian
Proffitt
o 2006 - What are web services
(section) - Nicholas Chase
o 2005 - Introduction to Web Services (PDF) -
Ioannis G. Baltopoulos
EXERCISE
[1 hour]
Once you feel that you understand the difference between APIs and web services,
talk to a developer. Ask what APIs and web services exist within the
application that you're working on. Work with your developer to draw a simple
architecture diagram that shows whereabouts in your application these interfaces
are located. Be sure you can distinguish which are APIs and which are web
services, and that you know which protocols each interface uses.
STEP - Understanding SOAP and REST
Learn more about two common implementations of web
services and the differences between them:
¥
2006 - Understanding SOAP
(section) - Nicholas Chase
¥
What is REST? (video)
- Todd Fredrich
¥
2013 - Understanding SOAP and REST Basics
And Differences - John Mueller
¥
2008 - How to GET a cup of coffee - Jim
Webber, Savas Parastatidis & Ian Robinson
EXERCISE
[1 hour]
Find out whether you have any services with both a SOAP and a REST
implementation. This means that the same business operation can be served in
two different formats through two different APIs. Talk to a developer or
technical lead and ask them to demonstrate a request in each implementation.
Discuss the differences between these two interfaces and some of the reasons
that both exist.
STEP - API and web service testing
Discover the tools available and some common mnemonics
to approach web service testing:
¥
2014 - API Testing: Why it matters and how to do it - Michael
Churchman
¥
2013 - Johnny mnemonic - ICEOVERMAD - Ash
Winter
¥
The API Testing Dojo - Smart
Bear
¥
2015 - API Testing: UI Tools -
Avinash Shetty
¥
2015 - API Testing: Developer Tools -
Avinash Shetty
¥
2015 - WTEU-53 - An introduction to API
Testing - Amy Phillips
¥
2015 - Some API Testing Basic Introductory
Notes and Tools - Alan Richardson
EXERCISES
[3 hours] Repeat the 53rd Weekend Testing Europe session
by running some comparative tests on the SongKick API and associated website.
SongKick is a service that matches users to live music events taking place near
them. Use your web browser to make API requests as you would a website URL.
Alongside the links from Amy Phillips and Alan Richardson above, you can refer
to the SongKick API and the
full transcript of the weekend
testing Europe session for guidance. Experiment with locating different test
data and using different API requests until you understand how the API
functions. Please abide by all terms of use and do not experiment with load
or security testing on this API.
[3 hours] Install Postman and use
it to test the TradeMe Sandbox API.
TradeMe is the leading online marketplace and classified advertising platform
in New Zealand. Public, unregistered, access to their developer API is
restricted to catalogue methods.
Experiment with retrieving information and compare your results against the TradeMe Sandbox
site. Please abide by all terms of use and do not experiment with
load or security testing on this API.
[3 hours] Explore the Predic8 online REST web services demo using the advanced REST client Chrome extension or PAW - the
ultimate REST client for Mac. You will need to install your
chosen software and read the supporting documentation for the demonstration
REST service. Explore the different functions provided. In addition to
retrieving information you should be able to modify data using POST, PUT and
DELETE requests. Please abide by all terms of use and do not experiment with
load or security testing on this API.
http://pages.apigee.com/rs/apigee/images/apigee-securing-the-digital-enterprise-ebook-02-2014.pdf
Securing the digital
enterprise
API and API infrastructure
security for the CSO
API Security at all Points of Engagement
API and data security, threat protection, regulatory compliance
& identity management
The right API security architecture.
Configurable policies for access control and threat protection
with support for:
LDAP, Active Directory, SAML, OAuth, TLS
PCI DSS, HIPAA, EU Safe Harbor
https://www.akana.com/solutions/api-security
API Security
Enterprises are reshaping their business models to
address the new digital economy by making data and applications available as
APIs for consumption in mobile applications, cloud applications and Internet of
Things (IoT). While APIs connect enterprises with mobile apps and a large
community of developers, these APIs also need to be scalable, reliable, and
most importantly secure. As these businesses start monetizing their resources
through digital channels they need to become more vigilant about security and
complaince and prevent their APIs against threats and hacks.
The Akana (formerly SOA Software) API Security
solution streamlines management, deployment, development and operation of APIs,
enhancing security and regulatory compliance through authentication,
authorization and audit capabilities. The Akana API Gateway, deployed at the edge of the
network to provide perimeter security and defence, protects the enterprise by
handling authentication and authorization, encrypting data, preventing threats
and attacks and rate limiting traffic. The API Gateway can be deployed in the
cloud or on-premises.
Authentication and Authorization
▪
Choose from a wide array of authentication schemes,
standards and token types to ensure that only valid users and applications get
access
▪
Integrate with leading identity and access management
providers or use the built-in access control system
Use existing enterprise security systems to create an
OAuth authorization server.
Message Security
▪
Ensure the privacy of data in flight and at rest (a
key requirement for PCI Compliance)
▪
Support SSL & TLS as well as message-based
encryption and decryption using the XML-Encryption standards
▪
Sign and verify messages and headers to provide
non-repudiation
Simplify key and certificate generation, distribution
and management with built-in PKI services
Threat Protection
▪
Prevent Denial of Service (DoS) attacks, malformed
messages or excessive XML/JSON depth and breadth.
▪
Detect and prevent SQL, JavaScript or XPath/XQuery
injection attacks
Provide a content firewall, protecting against
malicious content including protection against viruses in attachments and
validation of message content – XML and JSON data structure, form and
query parameters.
Orchestration, Mediation and Transformation
▪
Bi-directional protocol transformation - Convert
existing SOAP or Plain-old-XML (POX) over MQ or JMS services into RESTful APIs
with XML and/or JSON content
▪
API & Message Routing - Route based on message
content, headers, identity and other factors
▪
Orchestration - Remove operations, aggregate multiple
backend APIs or services, perform mediation, or composition - without writing
code.
Scripting - Author reusable scripts using a variety of
languages (e.g. node.js, JavaScript, Groovy, Jython, BeanShell) and embed them
within processes
Analytics and Monitoring
▪
Real-time system monitoring – Use the Web-based
dashboards to get real-time visibility into service and API performance,
dependencies, and alert status
▪
Alert Management – Powerful alert management,
monitoring, and distribution. Leverage alerts within compositions to control
message routing, enforce SLAs or perform other runtime activities
Analytics – Dashboards and out-of-the-box
reports provide visibility into the performance of APIs and services from
different perspectives, including department, partner, application contract,
API/service or operation.
Unified API and SOA
▪
Define and Manage APIÕs- Create APIs with multiple
interfaces using different standards including REST/XML, REST/JSON and SOAP with
no extra development effort
▪
Comprehensive Integration with AkanaÕs Lifecycle
Manager - Control the service production and consumption process from
requirements definition to development
Contract Management - Manage relationships between
service consumers and providers
Deploy in the cloud, or on-premises
▪
On-Premise or in the Cloud – You can choose how
and where you deploy to best meet the need of your business
Virtual Appliance – Deploy as a pre-packaged
hardened virtual appliance on any infrastructure of your choice
https://aws.amazon.com/api-gateway/
Amazon API Gateway
Amazon API Gateway is a fully managed service that makes it easy
for developers to create, publish, maintain, monitor, and secure APIs at any
scale. With a few clicks in the AWS Management Console, you can create an API
that acts as a Òfront doorÓ for applications to access data, business logic, or
functionality from your back-end services, such as workloads running on Amazon
Elastic Compute Cloud (Amazon EC2), code running on AWS Lambda, or any Web
application. Amazon API Gateway handles all the tasks involved in accepting and
processing up to hundreds of thousands of concurrent API calls, including
traffic management, authorization and access control, monitoring, and API
version management. Amazon API Gateway has no minimum fees or startup costs.
You pay only for the API calls you receive and the amount of data transferred
out.
Easily Monitor API Activity
After your API is deployed, Amazon API Gateway provides you with
a dashboard to visually monitor calls to your services using Amazon CloudWatch, so you see performance metrics and information on API
calls, data latency, and error rates.
Streamline API Development
Amazon API Gateway lets you simultaneously run multiple versions
of the same API, allowing you to quickly iterate, test, and release new
versions.
Flexible Security Controls
API Gateway provides you with tools to authorize access to your
APIs and control service operation access. You can use AWS administration and
security tools, such as AWS Identity
and Access Management (IAM) and Amazon Cognito, to authorize access to your APIs. Amazon
API Gateway can verify signed API calls on your behalf using the same
technology AWS uses for its own APIs. If you already use OAuth tokens or other authorization mechanism, Amazon API Gateway can
forward your OAuth or
OpenID Connect headers to your back end for verification.
Create RESTful Endpoints for Existing Services
With Amazon API Gateway, you can create modern resource based
APIs, and then use the dynamic and flexible data transformation capabilities to
generate the requests in the language your target services expect. API Gateway
also helps you protect your existing services by setting throttling rules to
avoid overwhelming your back-end infrastructure during unpredictable traffic
spikes.
Run Your APIs Without Servers
Amazon API Gateway tightly integrates with AWS Lambda to allow
you to create completely server-less APIs. With Amazon API Gateway, you create
REST APIs that your mobile and web applications can use to call publicly
available AWS services through your code running in AWS Lambda. AWS Lambda runs
your code on a high-availability compute infrastructure and performs all the
heavy lifting and administration of your compute resources.
https://aws.amazon.com/lambda/
AWS Lambda
Run code with out thinking about servers.
Pay for only the compute time you consume.
AWS Lambda lets you run code without provisioning or managing
servers. You pay only for the compute time you consume - there is no charge
when your code is not running. With Lambda, you can run code for virtually any
type of application or backend service - all with zero administration. Just
upload your code and Lambda takes care of everything required to run and scale
your code with high availability. You can set up your code to automatically
trigger from other AWS services or call it directly from any web or mobile app.
https://aws.amazon.com/device-farm/
Pricing
Your first 250 device minutes
are free
Pricing is based on device
minutes, which are determined by the number of devices you use and the duration
of your tests. AWS Device Farm comes with a free trial of 250 device minutes.
After that you are charged $0.17 per device minute. As your testing needs grow,
you can opt for our unmetered testing plan, which allows unlimited testing for
a flat monthly fee of $250 per device.
There are no long-term
contracts – and you have the freedom to modify your pricing plan based on
your needs.
Test on the same devices your customers
use
Run tests across a large selection of physical devices in
parallel from various manufacturers with varying hardware, OS versions and form
factors. Unlike emulators, physical devices provide a more accurate
understanding of how users interact with your app, by taking into account
factors such as memory, CPU usage, location, and modifications done by
manufactures and carriers to the firmware and software. We are always adding
devices to the fleet. See the device list.
Simulate real-world environments
Fine-tune your test environment by configuring location,
language, application data, and installing prerequisite apps to simulate
real-world customer conditions.
Integrate with your development
workflow
Use our service plug-ins and API to automatically initiate tests
from continuous integration systems like Jenkins and other development tools.
Fix issues faster and delight your
users
Focus on the most important issues by viewing detailed,
actionable reports. We identify and group problems across every device, so you
can quickly analyze results, logs, screenshots, and performance data across
your tests.
Choose the tests that work for you
Run our built-in test suite - no scripting required. Or fully
customize your tests by selecting from a range of popular open-source test
frameworks like Appium,
Calabash, and Espresso that allow you to take full control. View the
list of supported frameworks.
http://docs.aws.amazon.com/devicefarm/latest/developerguide/welcome.html
Supported Test Types and Built-in Tests
Device Farm currently provides support for the following test
types:
For Android:
▪
Calabash
▪
Instrumentation (JUnit, Espresso, Robotium, or
any instrumentation-based tests)
▪
Explorer
For iOS:
▪
Calabash
▪
XCTest (including KIF)
If you do not have your own tests, you can use a built-in fuzz
test. For more information, see Built-in: Fuzz (Android and iOS).
Test with confidence
Each device is dedicated to you for the duration of your test
and completely isolated from other devices at the software and hardware level.
After each test run, the devices are wiped to remove your application and data.