Automated API Tests in SDLC are Boon
Post discusses my views on the importance of API Testing for organizations to improve their API and Supply Chain Security Posture.
An Imaginary Story
You're working at a startup in the Engineering Team that helps scale businesses by providing them APIs to acquire leads, store lead PII and non-PII data, invoices, purchase orders, customer engagements, etc. Your customers have integrated your APIs into their product and they've seen new leads coming through. They're happy with your product.
APIs are running smoothly, you're security team has conducted API pentests and thorough source code reviews so your customers don't have to worry about security. You're platform has never been breached.
But recently your security team has raised concerns regarding supply chain security. The packages you're running are outdated and your team's not bothered about it.
A few weeks later, there's an SQL Injection vulnerability in the ORM package you're using in the backend as the main component.
Since most of your dependencies are outdated you're now required to bump all your packages to the latest/(n-1)/(n-2) stable version. This major change can break your changes, which can hamper your organization's business but you're obliged to make this change to bump dependencies to avoid data breaches.
The Engineering Team bumps all the dependencies to the latest version and fixes the vulnerability. But they're hesitating to deploy such releases since it can introduce breaking changes in API which can hamper other products and their businesses.
Automated API Tests are no longer optional
Most of the internet traffic is comprised of APIs these days.
It's necessary to test your APIs manually before releases to check it's working functionalities. You can't ignore APIs today. They're driving most of the products you're consuming.
Sometimes, security changes can cause breaking changes in the API functionalities, so ensuring that you're releasing automated API testing plays an important role in the deployment and SDLC processes.
Writing automated tests and integrating those tests using tools such as Bruno, postman or httpie can help you to be confident that your APIs won't break.
Note: I'm not sponsored by any of the products, they're only provided as examples. I don't mind if you want to sponsor my work π.
It is also important to ensure that tests are maintained regularly and that the testing framework/tool is independent of the API backend tech stack. i.e. avoid writing API tests as unit tests in the backend codebase. While bumping dependencies you might need to change those cases which can hamper productivity and take more time to fix supply chain vulns than expected.
Additionally, It reduces the manual testing time. Automated tests can be integrated into CI/CD pipelines so that your APIs can be tested during/after every release.
Surprisingly, several organizations are running on outdated software which makes their products vulnerable to several attack vectors.
It is extremely important to keep your software/API dependencies up-to-date to avoid introducing vulns into your products via supply chain attack vectors.
Engineering Teams can automate patching dependencies by leveraging several automated tools and pipelines such as the Dependabot's github action workflow provided by GitHub.
It can merge several dependencies bumps into a single PR. Alternatively, If there's a new vuln, it'll raise PR to bump it to the latest patched version.
Why you must Integrate API tests into your CI/CD Pipeline
Confidence for every deployment
Faster Releases and Continuous Improvement
Efficient and better API Testing
Enhancing Security
Better Compliance
Conclusion
It's best to have an automated API testing framework integrated into your CI/CD workflows. Automated API tests can help teams fix security issues and deploy patches with confidence.
I hope you have API tests for your APIs in your CI/CD π.
Last updated
