Publishing all things that require integration as standard APIs not only eliminates some integration expenses, but also greatly simplifies the way integrated software systems are designed and managed.
But, while Web services can simplify some things, it can complicate others. Once you develop a set of APIs to make it easier to access your services, you may see a significant rise in the number of entities that want to make use of those APIs. Also, you may lose the tight control you had over those entities. Or, maybe the advent of Web services made it possible for you, your suppliers, and your customers to build an entire ecosystem around a supply-chain that includes transactions involving complex timings and roll-back mechanisms.
Given those potential complexities, you may want some guarantees that other systems accessing your APIs are not only up to snuff, but are accessing those APIs in the way that you intended them to be accessed.
We have seen those guarantees--in the form of certification--on the packages of hardware and software products. Products are certifiably compatible with Windows, NetWare, or whatever else has APIs. To receive those certifications, a product presumably has to pass some test of quality control.
One of the stated purposes of the Web Services Interoperability Organisation (the WS-I) is to provide test suites to vendors in order to make sure that their products are indeed compliant with Web service standards like SOAP and WSDL and that they can interoperate with other compliant products.
So, if all this testing is good for vendors that publish APIs to their software, why shouldn't it be good for you--now that you're publishing APIs? Before a business partner can access your back-end systems through your APIs, perhaps that partner should pass some test to ensure that it is fully compliant with your rules and procedures for using those APIs. For example, you might want to make sure that confidential data can't be leaked or compromised, or that the right version of some encryption protocol is being used.
But developing and administering those tests, perhaps going as far as to establish a formal certification program, can get quite complicated. Your best bet might be to outsource it.
One reputable testing outfit that I've known for a long time is Utah-based KeyLabs. Mike Fahnert, KeyLabs president, says that any partner that wants to integrate with eBay's APIs has to pass a test and get certified. According to Fahnert, eBay outsources the entire process to KeyLabs.
One reason it makes sense to outsource Web service testing and certification is that you don't have to keep re-inventing the wheel. For example, as KeyLabs amasses more experience in Web service testing and certification, all of its clients will benefit as that collective experience is worked into KeyLabs' standard testing methodologies. Eventually, KeyLabs should be in position to look at your own code and help you make it more foolproof and easier for third parties to get certified.
Fahnert calls the program KeyAssurance, and the goal is to provide full life cycle quality, performance, and security testing services along with a methodology. "Assess, test, and maintain," says Fahnert. "Get our customers through their lifecycles."
Digital signatures too?
When certifying partners to access your Web services, you want to make sure that they continue to use the certified code and not some untested revision. Also, you want to be certain that the code accessing your system isn't imposter code from someone other than your partner. I suggested to Fahnert that certified Web services should get digitally signed too. This would require the same sort of digital signature infrastructure that's used already with downloadable software. The difference is that your systems (as opposed to humans) will need to determine if the code is signed and what action to take if it isn't.
Fahnert agrees that it's an issue and says he's already looking into ways that the problem can be solved.
I can't tell you whether or not KeyLabs is the right company to turn to for this. Having eBay is certain a feather in its cap, but even Fahnert agrees that this whole business of testing Web services is brand new. I do think it makes sense to outsource the project to a reputable expert. So far, KeyLabs is the only company I know of that's going to offer such a service. I'm sure there will be others.
