In last week’s post we talked about what API testing is and why it’s important. In this week’s post, we’ll talk about when API testing is required and industry-specific API standards.
When is API testing required?
As a whole, API testing is not regulated, so it isn’t legally required in most cases. API security is a fairly new field, so while there aren’t currently many regulations around how APIs are built and secured, conducting API testing is still an important part of your development process. API testing can save your development team time and money, as well as ensure that your software is secure and reliable.
API Testing Requirements
Depending on what type of data is being exchanged by an API, the API may need to undergo further testing for compliance. In the United States, organizations must comply with the CLOUD Act, COPPA for online services directed to children under thirteen, and California’s Consumer Privacy Act (CCPA). It’s important for development teams to pay close attention to all relevant regulations and test their APIs appropriately.
APIs also need to follow industry-specific laws and regulations since there are different needs and concerns across industries. These industry-specific regulations will influence what steps your development team needs to take when testing APIs.
Below, we will explore API standards in healthcare, automotive, and financial services, but these are only a few examples of industry-specific API standards.
Healthcare API Standards
APIs, according to Ben Moscovich, project director of Health Information Technology at Pew Charitable Trusts, have “the potential to make healthcare more efficient, lead to better care coordination, and give providers and patients additional tools to access information and ensure high-quality, efficient, safe, and value-based care.”
While APIs haven’t been adopted by most healthcare systems until recently, the 21st Century Cures Act now requires healthcare providers to allow the easy exchange of health data for patients in order to be able to participate in the Medicare program. To accomplish this, many healthcare providers are turning to the power of APIs for this easy exchange of patient data.
Healthcare API Standards
HIPPA is the largest compliance requirement in the United States for healthcare applications. Any API used within healthcare applications needs to be tested for compliance by ensuring that protected health information is properly secured with the correct authentication protocols in place and by limiting what types of requests can access what types of data.
The healthcare industry’s standard “instruction manual” for APIs is FHIR, or the Fast Healthcare Interoperability Resource, which is the standard set by the 21st Century Cures Act to accomplish healthcare data exchange. FHIR is implementation-focused, so it's easy for development teams to use to produce working interfaces quickly. FHIR specification is free for use with no restrictions. Get started with FHIR here.
HL7 develops and publishes the FHIR standards. They also provide services to support FHIR’s implementation, such as guides, programs, and testbeds. FHIR is now both a U.S. and global standard, with full documentation in English, Russian, Chinese, and Japanese. Learn more FHIR standards and the federal regulations here.
Automotive API Standards
Many automotive manufacturers still use EDI, or Electronic Data Interchange, more than APIs to transfer electronic data, but this is changing.
APIs are used to integrate mobile apps with your vehicle’s user interface, enabling users to answer phone calls, play music, and view mobile apps on the car’s screen through integrations like Apple CarPlay.
APIs are also used with VIN and license plate identification services and vehicle data history services like CARFAX. Many car manufacturers have their own applications that tell you when service is due and communicate other information to users, such as when tire pressure is low.
Automotive API Standards
ODETTE, the Organization for Data Exchange by Tele Transmission in Europe, is responsible for the EDI standards followed by many manufacturers in the automotive industry around the world. These standards define what should be tested before releasing an application and other aspects of data exchange between vehicles and vehicle systems.
ODETTE recently formed an API Expert group to develop a standardized approach to the implementation of REST APIs in the automotive supply chain. The goal of this group is to extend ODETTE’s successful EDI standardization to APIs.
In North America, ODETTE’s equivalent is AIAG, or the Automotive Industry Action Group, but currently no API standards exist within AIAG.
Finance API Standards
APIs have played a large role in customer’s expanded access to their financial data in recent years. APIs allow users to easily and safely share and access their financial data across many financial providers, and play a role in banking, investment, budgeting, and third-party payment apps.
Finance API Standards
In North America, API standards in the financial industry have come around as more of a market-driven need for standardized APIs across the financial industry and have limited government regulation. Having standardized APIs benefits financial institutions and users, allowing for more secure and reliable data access across the industry.
FDX, or Financial Data Exchange, a non-profit industry, is the main organization that has stepped in to create an API standard for the U.S. and Canada. They are the creators of the FDX API, “a common, interoperable and royalty-free technical standard for user-permissioned financial data sharing”. The FDX API is free to access and use.
Members of FDX are financial service stakeholders that drive the APIs co-chair working groups and task forces and make decisions about how to build and implement the FDX API. Members include over 100 fintech firms and fintech stakeholders, nine of the top ten U.S. banks and all six of the top Canadian banks.
As of October 2022, 42 million consumer accounts were using FDX API for open finance data sharing, up from 32 million in June 2022.
The Future of API Testing Standards
Standards for API testing are beneficial to development teams, because standardized APIs work across software systems and organizations and can be built once and reused many times. They are also beneficial to users, because they provide safer data transfer and a consistent user experience.
These benefits will likely lead companies to adopt common API standards even without legal regulation, as has already happened in the financial and automotive industry.
API Testing Made Easy
Mayhem automatically creates and runs thousands of API tests that can help you ensure you're complying with industry best practices. Mayhem works within a single platform to find, filter, and prioritize any found vulnerabilities for your team. Try Mayhem for free for 30 days, and see how you can have complete API security quickly and easily.