From conception to consumption: The API delivery process (Part 2)

In part 1 of this series, we analyzed the main components of the API delivery process such as specifying the problem the API intends to solve by means of its value, the development of the API’s minimum viable product, and the API’s time to market. In this post, we will look at the remaining two aspects of this process: Quality and Security.

Quality Standards

Ensuring that an API product meets minimum quality standards is the foundation of its initial and continuous adoption and it directly affects the way the API benefits the company. In order to meet these minimum quality standards, an API should comply with requirements regarding functionality, usability, reliability, performance, and monitoring. The most straightforward way to ensure compliance with quality standards is to implement a complete testing strategy that covers all these aspects.

The first step in implementing a successful testing strategy is to have a clear plan to guide the testing efforts and to make sure that every action is purposely intentional. Specifically, this plan will focus on areas covering different facets of the API, such as its audience, usage environments, reliability, performance, and the priorities assigned to each of these areas.

Determining the API’s audience is just as important as determining its value and the problem it is meant to solve. These two points will help identify, design and implement functional and usability tests. The former will focus on ensuring that the API does what it is supposed to do. The latter will focus on ensuring that the API can be consumed easily and correctly by the users it was built for. Successful functional testing will make sure that the API’s inputs and outputs are correctly formed and that error messages are meaningful and concise. Similarly, successful usability testing will ensure that the API’s users can consume the API in an effective and straightforward manner. Usability tests should also ensure that there is absolutely no room for ambiguity during the entire API experience. Potentially, these tests could also include testing the usage of the API in any other creative ways that its consumers can think of.

Reliability tests will ensure that the API’s behavior is consistently correct all the time. This is of particular importance in any type of real-time systems in which 24/7 availability is mandatory. Similarly, load, stress and speed tests will ensure the API behaves correctly under extreme circumstances such as a high number of concurrent consumers, a high volume of incoming data that needs to be processed, or a combination of both. A very good companion for this type of tests is testing of error handling and default behavior. These will ensure that the API’s performance degrades gracefully in the event of unexpected errors or reaching its maximum capacity.

Finally, monitoring testing will ensure that the API is capable of detecting unexpected situations on time and that this is logged correctly, effectively and securely. These unexpected situations include but are not limited to runtime errors, execution errors, memory or resource leaks, and improper usage.

API Gateways and Security

In part 1, we established that an API product does not necessarily correlate to a single specific data or service provided by the company but rather to a combination of those in a very unique way that is totally consumer-centered. This is hard to achieve if there is no way to combine the services offered by the company in single, unique ones tailored specifically for the consumer. To overcome this problem, using an API Gateway is absolutely necessary, as it works as an aggregator layer that routes client requests to internal services.

An API Gateway offers a long list of benefits in addition to service aggregation. By serving as a point of entry to internal APIs, an API Gateway frees these from implementing cumbersome, complex and sensitive operations, which, in the end, makes them a lot simpler. These functions include but are not limited to:

• Security, authentication and potentially authorization
• Management of API’s access quotas (maximum number of requests in a given time interval) and throttling (maximum request limit)
• Caching, to reduce response times after first access
• API’s performance and health monitoring
• API’s versioning

It is the first of all these benefits that deserves special attention. Simply putting internal APIs behind an API Gateway does not ensure that basic security standards are always met. These include ensuring that the information sent by the API is only the information that the consumer needs, ensuring that the consumer of the API, at the other end, is actually authorized to access the API, ensuring that the API Gateway itself is doing what it is supposed to be doing in terms of security. To overcome these and other problems, it is recommended to use an API Security Gateway instead of a plain API Gateway.

API Security Gateways are secure by design. This means that unlike regular API Gateways, they implement security policies to offer features like storage encryption, identity federation and single sign-on, real-time monitoring, and self-protection against cyber attacks. API Gateways, on the other hand, are based on integration platforms that run as software applications on insecure operating systems.

Conclusion

The API Delivery Process must ensure that the value provided by the API is protected by a well-defined set of tests and a well-rounded set of security policies. These tests and security policies will ensure quality of service and basic protection for both the API and its consumers.

Quality tests should be designed and implemented with a focus on the API consumers, environments in which the API will be used, reliability, and performance. This will guarantee a complete coverage of all the API’s facets.

Access to the API needs to be controlled by a common point of entry in the form of an API Gateway. The API Gateway will route all client requests to the appropriate API. Other features of an API Gateway include access quotas, throttling, caching, performance and health monitoring, and API’s versioning. In order to cover more advanced security requirements, such as storage encryption, identity management, security monitoring, and protection against cyber attacks, the use of an API Security Gateway is preferred.