Fuzzing REST APIs in Industry: Necessary Features and Open Problems
This addresses the problem of making automated REST API testing practical for industry, but it is incremental as it builds on existing tools and focuses on integration rather than new methods.
The paper tackles the challenge of integrating academic fuzzing tools like EvoMaster into industrial settings, reporting on its use at Volkswagen AG from 2023 to 2026, which involved feedback on 4 APIs and a user study with 11 testing specialists from 4 companies.
REST APIs are widely used in industry, in all different kinds of domains. An example is Volkswagen AG, a German automobile manufacturer. Established testing approaches for REST APIs are time consuming, and require expertise from professional test engineers. Due to its cost and importance, in the scientific literature several approaches have been proposed to automatically test REST APIs. The open-source, search-based fuzzer EvoMaster is one of such tools proposed in the academic literature. However, how academic prototypes can be integrated in industry and have real impact to software engineering practice requires more investigation. In this paper, we report on our experience in using EvoMaster at Volkswagen AG, as an EvoMaster user from 2023 to 2026. We share our learnt lessons, and discuss several features needed to be implemented in EvoMaster to make its use in an industrial context successful. Feedback about value in industrial setups of EvoMaster was given from Volkswagen AG about 4 APIs. Additionally, a user study was conducted involving 11 testing specialists from 4 different companies. We further identify several real-world research challenges that still need to be solved.