StopLight makes API Development an Easier Process

Modeling applications have assisted programmers in architecting software for years. So it stands to reason the process of API design and development would also benefit from the use of models during the SDLC. StopLight is one such application, offering shops a full visual API modeling suite, including documentation and other useful features.

The best applications used for software development stay out of the way, while making the entire architecting, coding, and testing processes easier. With that said, let’s take a closer look at StopLight to see if it needs to be part of your team’s API tool arsenal

The Need for a Better API Design Tool

Like many other innovative technology products – Ruby on Rails comes to mind – StopLight was developed by software engineers wanting a better tool to make their work easier. Company founder Marc MacLeod commented on how the need for a better API tool led to StopLight’s genesis. “I’m an engineer, and StopLight is the solution to problems I faced repeatedly. Before StopLight, best practices were very manual — with no easy way to document and test APIs in an accessible, collaborative setting. StopLight changes this paradigm,” said MacLeod.

StopLight first became available in February of 2016. The designer tool is free to use for singular developers, while team subscriptions are also available – starting at a monthly rate of $8 per person. At those prices, downloading the application to test drive its features and functionality is a smart call for any API shop. The app is available on the Mac, Windows, and Linux platforms.

StopLight – Features and Functionality

The StopLight application suite includes three main modules. The API Designer is the heart of the tool, providing a way for developers to collaborate on model design leveraging open standards. A documentation module automatically generates API documentation every time the model changes – a boon for public API shops.

Prism Proxy gives developers a way to validate and mock API requests. Users can either install the proxy on a local server, or use StopLight’s Cloud-hosted version for up to 20,000 requests per month. One useful feature provided by Prism Proxy is the ability to reverse engineer an API – simply run traffic through the proxy and StopLight automatically generates end point and model definitions.

An Easy to Use API Design Tool

StopLight’s easy to use API Designer module lets everyone work together on API designs, no matter their level of technical expertise. Even business stakeholders with little to no programming experience are able to use the tool. This is one feature attractive to DevOps and Agile development teams where collaboration and interaction are vital to the success of a project.

Version 2 of StopLight entered a public beta phase in July, with a new module used for testing APIs, including the debugging of HTTP requests. Better collaboration features are also part of the new release. A new pricing model adds flexibility to shops of all sizes.

StopLight is worthy of further exploration for any API development shop. This product continues to garner a lot of buzz in the industry.

Keep coming back to the Betica Blog for additional insights into the world of QA and software development.

A Closer Look to Fuzz Testing

Fuzz Testing remains an important part of any application or system QA process. Sometimes known as “fuzzing,” it is a software testing technique aimed at scrambling any input to an application — file formats, UI devices such as a keyboard and mouse, network protocol data, etc. — in an attempt to break its functionality. It sees wide use in security testing, among other QA scenarios.

We recently talked about Microsoft’s Project Springfield which is a Cloud-based fuzz testing application. No matter the audience for your company’s application development efforts, fuzz testing needs to be part of your QA arsenal. Let’s take a closer look at this vital part of the software testing process.

Breaking an Application’s Inputs

Vetting how an application handles its input — no matter the source — is the primary goal of fuzz testing. Considering the wide use SQL injection techniques in hacking, any program needs to be able to either restrict the kinds of data sent to it or properly recognize and deal with nefarious inputs. Just verifying that an app doesn’t crash isn’t good enough; the security of the entire computing infrastructure hosting a hacked application is at risk.

While primarily used for black-box testing, where invalid data is sent into an application, fuzz testing techniques are also leveraged in white-box testing to truly test how the source code handles faulty input data. It is also leveraged to see how if an app properly deals with any memory issues, including those dreaded crash-causing leaks.

Automation is primarily used for fuzz testing, although QA engineers and developers need to be closely involved in the process. Automated routines are able to combine fuzz and stress testing to great effect. It helps in ensuring proper code coverage, as well as finding bugs not yet defined by a test case. 

Types of Fuzzers

There are two common types of fuzz testing applications, commonly known as fuzzers. Mutation fuzzers take existing input data patterns and modify or “mutate” them to create a variety of test data to vet the application’s inputs. On the other hand, generation fuzzers create the input data from scratch based upon specifications; these are sometimes known as specification-based fuzzers.

Leveraging both types helps ensure the complete testing of any application’s inputs.

Additional Resources on Fuzz Testing

While many existing QA frameworks include some fuzz testing functionality, there are also a variety of commercial and open source projects focused specifically on fuzzing. Of course, Project Springfield from Microsoft warrants another mention, especially if your organization builds Windows or Azure applications. Redmond is actively looking for partners to help spread the world about Springfield.

Defensics from Codenomicon is a commercial suite of security testing applications based on fuzz testing technology. Known for its support for over 270 network protocols, file formats, and interfaces, Defensics promises to be vital part of any QA shop’s test tool arsenal. It was the QA application that discovered the infamous Heartbleed vulnerability in 2014.

Shops interested in an open source fuzzing solution need to check out the Sulley Fuzzing Framework, downloadable on GitHub. This Python-based tool is fully automated and vets input data from network protocols, file formats, and command-line arguments. A tutorial is available on Scribd.

If your team isn’t already fuzzing as part of your QA process, use these resources to learn about the technique to ensure you deliver more secure applications to your customers.

Stay tuned to the Betica Blog for additional dispatches from the worlds of QA and software development.

Postman brings Flexibility to API QA and Development

With the myriad of API development and QA tools in the marketplace — we’ve covered many examples, most recently, SOAtest — finding one to meet the needs of your shop seems like a daunting task. Postman positions itself as an application able to plan, develop, build, test, and document APIs. Not surprisingly, it is known as the “Swiss Army Knife” of API tools.

Let’s take a closer look at Postman to see if it makes sense in your team’s toolbox. It just might be the API development application with the flexibility to supercharge your productivity.

Build APIs more Quickly with Postman

As an integrated suite for the entire API development lifecycle, Postman offers the promise of building APIs faster and more efficiently. The Postman is app is available at no cost for the Windows, Mac, and Chrome platforms, while Cloud and Enterprise versions with more collaboration features cost only a nominal monthly fee.

The application’s UI facilitates the creation of HTTP requests, while integrating unit testing features to validate both response data and response time. Different requests are able to be grouped into Collections for better management. You can organize these collections into folders to mimic an API’s online structure. Sample responses are stored with each request to better explain its functionality and expected output.

It is important for developers to enter descriptive information into the request and response metadata, as the Postman UI leverages this information to describe the functionality of each request and the entire API. Developers can use the powerful search engine to find a specific request to meet their needs. This same metadata is used to automatically generate the API documentation, which becomes publically sharable with a button click — a boon for shops developing their own public APIs.

An Application Architecture to add even more Flexibility

Postman supports a variety of add-ons to make the application even more flexible. Newman provides automated testing features, including integration with your build app and the ability to kick off testing in a cron job. Chrome users need to check out Interceptor which leverages the Chrome window to easily view cookies and to capture and import requests into the Postman app.

Both add-ons are available as free downloads.

Enterprise Collaboration Features

As mentioned earlier, the regular Postman app is a free download, but development teams can upgrade to either the Cloud or Enterprise versions of the app, providing additional collaboration features for an inexpensive monthly fee.

Postman Cloud is priced at $4.99 per user per month (billed annually), and includes access to Postman’s Cloud API along with real-time collaboration features. Enhanced team management functionality is also part of the Cloud feature set, in addition to support for admin and billing roles — another plus for public API development shops.

All the features of Cloud are also available in Postman Enterprise, with the inclusion of invoice-based billing. Enterprise is priced at $21.99 per user per month billed annually.

Considering the basic version of Postman is simply a free download, it makes perfect sense to grab a copy and give the app a test run. You may find it becomes an invaluable part of your API development arsenal. The Cloud and Enterprise editions add useful functionality for shops specializing in public API development.

Keep an eye on the Betica Blog for additional dispatches from the worlds of software development and QA. Thanks for reading!