Upgrade to Pro — share decks privately, control downloads, hide ads and more …

API Contract Testing and Security: All Things O...

API Contract Testing and Security: All Things Open 2023

Slide deck and speaker notes for my talk at All Things Open 2023 in Raleigh, North Carolina.

This talk was a bit of a roundabout way to look at better screening and linting of OpenAPI spec files for conformity, and also looking some high level test ideas for the OWASP Top Ten for APIs to teach a little bit about security in our software.

Check the ATO YouTube channel for the full talk.

w. ian douglas

October 17, 2023
Tweet

More Decks by w. ian douglas

Other Decks in Programming

Transcript

  1. All rights reserved by Postman Inc Securing your API with

    Contract Testing W. Ian Douglas Sr Developer Advocate
  2. All rights reserved by Postman Inc 27+ years in tech

    industry (engineer, mgmt, director) 8 years in advocacy 4 years as an educator hobbies: - dog training - 3d printing, airbrushing - career coaching - dad jokes What do you call a wizard who is bad at football? Fumbledore. @getpostman @iandouglas736
  3. Whose Line Job is it, Anyway? So what IS an

    API Contract? API Contract Testing for API Producers API Contract Testing for API Consumers Q&A, Other resources as QR codes 1 2 3 4 5 Takeaways I would love to tell you a UDP joke, but you may not get it. @getpostman @iandouglas736
  4. Whose Line Job is it, Anyway? TO THE LEFT, TO

    THE LEFT… @getpostman @iandouglas736 … where everything is made up, and the sprint points don’t matter.
  5. DEVELOPMENT Build the thing DEV QA / TESTING Test all

    the things QA DEVOPS Deploy the things DEV OPS PRODUCTION Patch all the things PROD MAINTAIN … profit? MAINT I just applied for a job down at the diner. I told them I really bring a lot to the table. @getpostman @iandouglas736
  6. DEVELOPMENT Build the thing DEV QA / TESTING Test all

    the things QA DEVOPS Deploy the things DEV OPS PRODUCTION Patch all the things PROD MAINTAIN … profit? MAINT SEC? SEC? SEC? SEC? @getpostman @iandouglas736
  7. DEVELOPMENT Build the thing DEV QA / TESTING Test all

    the things QA DEVOPS Deploy the things DEV OPS PRODUCTION Patch all the things PROD MAINTAIN … profit? MAINT I just found out Albert Einstein existed. I always thought he was just a *theoretical* physicist. @getpostman @iandouglas736
  8. DEVELOPMENT Do ALL the things?? DEV SEC? QA DEV OPS

    PROD MAINT I lost a lot of weight by stacking bread on my head – it's part of my new loaf-hat diet. @getpostman @iandouglas736
  9. DEVELOPMENT Build the thing DEV QA / TESTING Test all

    the things QA DEVOPS Deploy the things DEV OPS PRODUCTION Patch all the things PROD MAINTAIN … profit? MAINT @getpostman @iandouglas736
  10. GOV GOVERNANCE Plan all the things INCLUDING SECURITY! DEVELOPMENT Build

    the thing DEV QA / TESTING Test all the things QA DEVOPS Deploy the things DEV OPS PRODUCTION Patch all the things PROD MAINTAIN … profit? MAINT People in Athens rarely get up before sunrise. Dawn is tough on Greece. @getpostman @iandouglas736
  11. • API Planning, Design, Governance Plan things carefully, then examine

    carefully. Then examine carefully again. • Industry Standards Validation Ensure your API definition matches industry standards, like OpenAPI Specification guidelines • End-User Schema Validation You don’t have to be a security expert here, but knowing some basics will go a long way. Why testing? Confidence AND Conformity @getpostman @iandouglas736 confidence! Sundays are always a little sad ... but the day before is a sadder day.
  12. • Your code may be unique, but your problems aren’t

    • They’re called Industry Standards for a reason • Don’t write something new, extend what already exists Don’t reinvent the wheel @getpostman @iandouglas736 confidence! I married my wife for her looks ... but not the ones she's been giving me lately.
  13. • Get your Spec into Postman Build from scratch or

    use a repo • Fork a collection and environment into your workspace, and configure it BIG thank you to @AllenHeltonDev and his team! ❤ • Run the requests in that collection Now with more CI/CD !! Building an API Specification and Checking Conformity @getpostman @iandouglas736 I bought a book to become an expert at origami. So far all I’ve made is 1,000 paper snowballs.
  14. “Contract Test Generator” go.pstmn.io/contract-test-gen Security Linting with Spectral rules (enterprise

    only) @getpostman @iandouglas736 I bought Spotify Premium for an uninterrupted music experience. But I still hear my wife complaining between songs.
  15. Testing things from the Consumer side API Consumer-side Testing @getpostman

    @iandouglas736 If Obi-Wan Kenobi kills several enemies at once with his lightsaber, does that make a Sith-kebab?
  16. Monitors (think of it like a cron job) and CLI

    tools for CI/CD Automating All The Things @getpostman @iandouglas736 The sun is the most intelligent thing in our solar system. It has like 28 million degrees.
  17. Thank You @getpostman @iandouglas736 My favorite restaurant ran out of

    flatbread but don’t want me telling people. They even made me sign a Naan-disclosure agreement!