CONTRACT TESTING: A FRAMEWORK FOR SECURITY EVALUATION IN gRPC

Abstract

The growth of APIs, including SOAP, REST, and gRPC, has made security a critical priority, with incidents such as those in the 2023 Paloalto report highlighting the financial losses resulting from API breaches. While existing tools focus on REST APIs, gRPC remains underserved, requiring time-consuming manual testing. This research addresses this gap by proposing a security testing framework tailored to gRPC, integrating automated methods and DevSecOps can use to improve efficiency. gRPC, built on HTTP/2, uses a binary message format and client stubs generated from proto files, creating unique challenges for testing. By analyzing gRPC components and adapting common API security practices, the framework identifies vulnerabilities, streamlines testing, and reduces manual effort. It automates processes such as payload generation and stub generation, enabling faster and more reliable testing compared to traditional methods. Additionally, the framework can be combined with DevSecOps to enable continuous security validation, ensuring vulnerabilities are identified early in the development lifecycle. This approach not only improves testing efficiency by significantly reducing time, but also sets a benchmark for secure API development. Ultimately, this research serves as a reference for security professionals looking to improve gRPC API testing, offers practical solutions to address security gaps, and paves the way for further advancements in gRPC security practices.