API Contract Testing and Security: All Things Open 2023

Transcript

1. All rights reserved by Postman Inc Securing your API with

   Contract Testing W. Ian Douglas Sr Developer Advocate

2. All rights reserved by Postman Inc 27+ years in tech

   industry (engineer, mgmt, director) 8 years in advocacy 4 years as an educator hobbies: - dog training - 3d printing, airbrushing - career coaching - dad jokes What do you call a wizard who is bad at football? Fumbledore. @getpostman @iandouglas736

3. Whose Line Job is it, Anyway? So what IS an

   API Contract? API Contract Testing for API Producers API Contract Testing for API Consumers Q&A, Other resources as QR codes 1 2 3 4 5 Takeaways I would love to tell you a UDP joke, but you may not get it. @getpostman @iandouglas736

4. Whose Line Job is it, Anyway? TO THE LEFT, TO

   THE LEFT… @getpostman @iandouglas736 … where everything is made up, and the sprint points don’t matter.

5. DEVELOPMENT Build the thing DEV QA / TESTING Test all

   the things QA DEVOPS Deploy the things DEV OPS PRODUCTION Patch all the things PROD MAINTAIN … profit? MAINT I just applied for a job down at the diner. I told them I really bring a lot to the table. @getpostman @iandouglas736

6. DEVELOPMENT Build the thing DEV QA / TESTING Test all

   the things QA DEVOPS Deploy the things DEV OPS PRODUCTION Patch all the things PROD MAINTAIN … profit? MAINT SEC? SEC? SEC? SEC? @getpostman @iandouglas736

7. DEVELOPMENT Build the thing DEV QA / TESTING Test all

   the things QA DEVOPS Deploy the things DEV OPS PRODUCTION Patch all the things PROD MAINTAIN … profit? MAINT I just found out Albert Einstein existed. I always thought he was just a *theoretical* physicist. @getpostman @iandouglas736

8. DEV QA DEV OPS PROD MAINT @getpostman @iandouglas736

9. DEVELOPMENT Do ALL the things?? DEV SEC? QA DEV OPS

   PROD MAINT I lost a lot of weight by stacking bread on my head – it's part of my new loaf-hat diet. @getpostman @iandouglas736

10. DEVELOPMENT Build the thing DEV QA / TESTING Test all

    the things QA DEVOPS Deploy the things DEV OPS PRODUCTION Patch all the things PROD MAINTAIN … profit? MAINT @getpostman @iandouglas736

11. GOV GOVERNANCE Plan all the things INCLUDING SECURITY! DEVELOPMENT Build

    the thing DEV QA / TESTING Test all the things QA DEVOPS Deploy the things DEV OPS PRODUCTION Patch all the things PROD MAINTAIN … profit? MAINT People in Athens rarely get up before sunrise. Dawn is tough on Greece. @getpostman @iandouglas736

12. What is an API Contract? LEVEL-SET @getpostman @iandouglas736

13. • API Planning, Design, Governance Plan things carefully, then examine

    carefully. Then examine carefully again. • Industry Standards Validation Ensure your API definition matches industry standards, like OpenAPI Specification guidelines • End-User Schema Validation You don’t have to be a security expert here, but knowing some basics will go a long way. Why testing? Confidence AND Conformity @getpostman @iandouglas736 confidence! Sundays are always a little sad ... but the day before is a sadder day.

14. • Your code may be unique, but your problems aren’t

    • They’re called Industry Standards for a reason • Don’t write something new, extend what already exists Don’t reinvent the wheel @getpostman @iandouglas736 confidence! I married my wife for her looks ... but not the ones she's been giving me lately.

15. Testing Your Spec for Conformity, and ultimately, Security API Producers

    @getpostman @iandouglas736

16. • Get your Spec into Postman Build from scratch or

    use a repo • Fork a collection and environment into your workspace, and configure it BIG thank you to @AllenHeltonDev and his team! ❤ • Run the requests in that collection Now with more CI/CD !! Building an API Specification and Checking Conformity @getpostman @iandouglas736 I bought a book to become an expert at origami. So far all I’ve made is 1,000 paper snowballs.

17. @getpostman @iandouglas736

18. @getpostman @iandouglas736

19. @getpostman @iandouglas736

20. @getpostman @iandouglas736

21. @getpostman @iandouglas736

22. “Contract Test Generator” go.pstmn.io/contract-test-gen Security Linting with Spectral rules (enterprise

    only) @getpostman @iandouglas736 I bought Spotify Premium for an uninterrupted music experience. But I still hear my wife complaining between songs.

23. Testing things from the Consumer side API Consumer-side Testing @getpostman

    @iandouglas736 If Obi-Wan Kenobi kills several enemies at once with his lightsaber, does that make a Sith-kebab?

24. @getpostman @iandouglas736

25. @getpostman @iandouglas736

26. @getpostman @iandouglas736

27. @getpostman @iandouglas736

28. Monitors (think of it like a cron job) and CLI

    tools for CI/CD Automating All The Things @getpostman @iandouglas736 The sun is the most intelligent thing in our solar system. It has like 28 million degrees.

29. Thank You @getpostman @iandouglas736 My favorite restaurant ran out of

    flatbread but don’t want me telling people. They even made me sign a Naan-disclosure agreement!