REST (Representational State Transfer) APIs have become the de facto standard for building APIs that expose services and data. As organizations adopt microservices and API-driven architectures, they are building more REST APIs than ever before. This growth in APIs requires managing them effectively to ensure they meet expectations around security, performance, reliability and more. As such, organizations need to assess their REST APIs regularly.
What is a REST API?
A REST API is an application programming interface (API) that conforms to the design principles of REST architectural style. REST APIs use HTTP requests to perform operations on resources. Resources are addressed using URIs. REST APIs expose CRUD operations for resources using HTTP methods like GET, POST, PUT and DELETE.
For example, to create a new user resource, a REST API client would send an HTTP POST request to the /users URI. To get details of a user with ID 123, the client sends a GET request to /users/123. REST APIs return results in easy to parse formats like JSON or XML.
Why assess REST APIs?
Assessing REST APIs regularly brings several benefits:
- Ensure APIs meet expectations around performance, security, reliability
- Identify areas needing improvement
- Compare against industry best practices
- Monitor API usage and adoption
- Detect issues early before they impact customers
- Inform strategic decisions around APIs
Without proper assessment, organizations run the risk of APIs not living up to their goals and not delivering expected value.
How to assess REST APIs
Here are key aspects to assess during REST API reviews:
Functional Correctness
Review APIs to ensure they perform the intended functions correctly:
- Test all API endpoints using valid and invalid inputs
- Verify error handling works as expected
- Confirm APIs integrate properly with backend services
- Check payloads are validated properly before processing
- Ensure pagination, sorting, filtering works as intended
Security
Assess security mechanisms implemented in the API:
- Review authentication, authorization schemes
- Check TLS usage for encryption
- Confirm sensitive data is not exposed in responses
- Verify API is not vulnerable to attacks like SQL injection, XSS
- Ensure proper access controls on API resources
Performance
Evaluate API performance under expected load conditions:
- Load test APIs to gauge response times, throughput, scalability
- Identify performance bottlenecks
- Check for memory leaks, unexpected spikes in utilization
- Compare against performance SLAs
- Monitor API usage trends
Reliability & Availability
Assess API reliability:
- Check for crash rates, failed requests
- Monitor uptime, track outages
- Review logs for warnings, errors
- Ensure proper monitoring, alerting configured
- Validate resiliency practices like retries, circuit breakers implemented
Maintainability
Evaluate API code maintainability:
- Assess documentation quality
- Review coding practices, conventions followed
- Check complexity using metrics like cyclomatic complexity
- Validate test coverage
- Evaluate dev processes like code reviews
Usability
Review API usability:
- Ensure API documentation is clear, complete and up-to-date
- Validate SDKs, tools, samples provided to facilitate adoption
- Check for API discoverability within developer portals
- Confirm API follows common conventions, patterns
- Get feedback from consumers on API usability
Monitoring & Analytics
Evaluate usage and performance monitoring capabilities:
- Verify API activity is tracked e.g. requests, response times, errors
- Check for capabilities to slice and dice API telemetry
- Confirm alerting is configured for key metrics
- Assess ability to trace requests end-to-end
- Evaluate integration with monitoring tools
When to assess REST APIs
REST APIs need to be assessed on a regular basis. Here are some common scenarios:
- Continuous assessments – Monitor APIs in production on an ongoing basis
- Release testing – Validate APIs before releasing to consumers
- Iteration demos – Review APIs at the end of each development sprint
- Periodic audits – Audit APIs quarterly or biannually for quality
- After major incidents – Assess APIs after any major outages, incidents
Who performs REST API assessments?
REST API assessments are often performed by:
- API developers – Review own APIs before releasing to QA
- QA engineers – Validate APIs independently as part of test automation
- API product managers – Demo APIs and gather feedback from consumers
- Architects – Audit APIs to ensure alignment with architecture guidelines
- Security teams – Perform penetration tests to identify vulnerabilities
- DevOps engineers – Monitor API health and performance
REST API assessment tools
Specialized tools can simplify and streamline REST API assessments. Examples include:
Tool | Key Features |
---|---|
Postman |
|
SOAPUI |
|
Parasoft SOAtest |
|
Specialized monitoring tools like AppDynamics and New Relic also provide capabilities to monitor API performance.
REST API assessment best practices
Follow these best practices for effective REST API assessments:
- Define clear review criteria covering all key aspects like security, performance, design
- Leverage test automation to perform functional validation
- Make APIs self-documenting by producing OpenAPI (Swagger) spec
- Gather feedback from developers building against the API
- Compare API design against industry standards and guidelines
- Use tools to analyze code complexity, validate test coverage
- Monitor production APIs in real-time and alert on failures
- Treat API assessment as continuous process, not one-time activity
REST API assessment challenges
Some common challenges faced during REST API assessments include:
- Incomplete or outdated documentation
- APIs not being appropriately instrumented
- Lack of effective test data and automation
- Unclear review criteria and objectives
- Assessing diverse types of APIs built using different frameworks
- Monitoring capabilities not keeping pace with rate of API growth
- Ensuring adequate participation from security, testing teams
Conclusion
To summarize, REST API assessment involves methodically reviewing APIs for security, performance, reliability and other key quality attributes. Assessment provides the visibility required to identify issues before they impact customers. Leveraging the right processes, tools and automation allows organizations to institutionalize API assessments and integrate them into the software delivery lifecycle. With APIs becoming critical business assets, continuously assessing them is imperative for organizations to maximize their value and minimize risks.