Beyond 200 OK: Pricilla Bilavendran [Testμ 2022]

API testing has been on the market for a few years, and we are all doing our best to test it efficiently and intelligently. The question that often arises is, “Are we doing it the right way?” or “Are we testing it enough?”

While testing the APIs, we focus on certain standardized checks and fail to explore beyond. For instance, getting the status code 200 OK is a generalized parameter, and we fail to check other possibilities.

In this insightful session of the Testµ conference, Pricilla Bilavendrana, Team Leader Billennium, shares all her lessons and experiences that will help elevate your API testing process.

Let’s start with some of the major highlights of this session:

Pricilla started talking about what she calls “The API revolution.” As testers, APIs are really important and crucial. She explained it through some facts:

• 90% of developers worldwide are using APIs by any means. For example, to somehow integrate APIs with other applications or to make some actions happen through APIs,
• 65% of companies realized the importance of digital transformation after this pandemic. This made them all realize the value and importance of APIs.

So, what is changing? Or what has changed?

Pricilla talked about how the pandemic affected digital transformation. From people around the globe working remotely to ordering groceries and medicines online, highlighted in the microservices architecture, which calls for the use of APIs. This summed up the API revolution.

“API testing is no more a luxury, it is a necessity”

As quoted, Pricilla explained her opinion behind the statement: If your applications are built upon microservices-based architecture and you are communicating with APIs by any means, of course, you have to do your API testing.

Types of API Testing

To build a world-class strategy, you must understand how to test your APIs and what you have to test. To perform these functions, you require a basic understanding of the types of API testing.

Pricilla used the analogy of a coffee machine and highlighted the 8 types of API testing:

• Validation Testing
• Functional Testing
• Integration Testing
• Security Testing
• Performance Testing
• Reliability Testing
• API Documentation Testing
• Regression Testing

“Security is everyone’s responsibility”

Top 10 vulnerabilities for APIs

As the loads are increasing, it is making APIs more vulnerable. Knowing about these vulnerabilities is the first step towards improving the security of your APIs because the proper awareness is better.

The following are the 10 API vulnerabilities:

API 1: 2019 Broken Object Level Authorization.
API 2: 2019 Broken User Authentication.
API 3: 2019 Excessive Data Exposure.
API 4: 2019 Lack of Resources and Rate limiting.
API 5: 2019 Broken Function Level Authorization.
API 6: 2019 Mass Assignment.
API 7: 2019 Security Misconfiguration.
API 8: 2019 Injection.
API 9: 2019 Improper Assets Management.
API 10: 2019 Insufficient Logging and Monitoring.

There must be a lookout if any of your tests fall under these vulnerabilities. It would be better to talk to your developers or stakeholders. Pricilla indicated that the first step towards improving security is acquiring knowledge.

API Security Testing

So, after presenting the API vulnerabilities, Pricilla explained what, as a tester, you could do to add to your API security testing.

• Make sure to add basic security test cases to validate and include them in your routine testing procedures.
• Have detailed knowledge of your error codes, so it is easier for you to communicate with your developers.
• Prioritize areas where security-related attacks can happen.
• Proper authentication or authorization methods are followed, and you’re writing your assertions and test cases to validate.
• Setting up monitors for your APIs to help you prevent security attacks in the future.
• Have basic knowledge about all the web vulnerabilities for your APIs.

At last, it is a continuous process and needs to be followed as part of your routine for the changes to reflect.

Pricilla talked about the Twitter Hack 2020 that led to the security breach of Twitter accounts such as Elon Musk, Jeff Bezos, etc., as an example of how a social engineering attack compromised twitter’s security.

API Performance

Living in a fast-paced world, Pricilla highlighted how we want things in an instant. This way, performance testing has been neglected, especially for your APIs. This is where attention needs to be diverted to API Performance.

Performance testing plays an important role because:

• APIs decide the overall performance of your application.
• Stability, Scalability, and Speed are the three factors on which our API performance is dependent.
• Lastly, we need customer gratification to make your customers happy and be relevant in the market. This also depends on performance testing.

The above slide showcases some of the metrics that can be incorporated to measure our performance testing for the APIs.

To end the session, Pricilla talks about how API automation is the need of the hour!

She pointed out some of the ways by which we can answer the question “How to?”

• Identify all the endpoints or the capabilities of your APIs and try to play around with that.
• Use some parameters and the chaining of the request so that they can communicate with one another. Instead of testing as a standalone endpoint, you can test them as a scenario or a flow.
• Try to cover all the different types of testing.
• Integrate it with your existing CI CD pipelines as that helps save a lot of your time.

Read more about Pricilla Bilavendran and her talk on Beyond 200 OK during Testμ Conference 2022 by LambdaTest.

Time for some Q&A!

The session ended with a few questions asked by the attendees to Pricilla. Here is the Q&A:

• Does Cloud infrastructure influence the API performance and security issues?

Pricilla: Of course, it is because you are in this case where you are going to use the inbuilt security or the performance provided by the cloud-based platforms. It will have a bit of impact, but every cloud provider is also enhancing their security-based thing, so just remember, when it comes to the API security things, there is no ground rule like this kind of authorization is going to be the better one. You would have to sit and analyze what sort of project you are planning to monetize your project. For example, the easiest way for the other third-party users to integrate your APIs will be completely private and internal for your internal purposes. If you’re not planning to host it to outside vendors, you can go for a strict or medium validation.

• I test standard APIs and custom comms APIs. Do you recommend the same API testing techniques for both?

Pricilla: Definitely not because, as I mentioned before, every API and the purpose of API is different, so based on that, you have to analyze the priority for this API, whether the performance or the security or the integration part. On these bases, you can categorize your text case.

• What is the effect of AI and ML on ensuring security threats in API?

Pricilla: It has a lot of impacts, but what we can start doing is since we already know what are the vulnerabilities and security threats for our APIs, we can start building models for a security threat, and even for making that you’re going to provide a lot of data, but I believe many more good practices are coming in this aspect and we can keep an eye out for them.

After the successful Testμ Conference 2022, where thousands of testers, QA professionals, and developers worldwide joined together to discuss on future of testing.

Join the testing revolution at LambdaTest Testμ Conference 2023. Register now!” – The testing revolution is happening, and you don’t want to be left behind. Join us at LambdaTest Testμ Conference 2023 and learn how to stay ahead of the curve. Register now and be a part of the revolution.