Contract Testing: A Framework for Security Evaluation in gRPC
##semicolon##
https://doi.org/10.59188/eduvest.v5i10.52074##semicolon##
gRPC##common.commaListSeparator## API security##common.commaListSeparator## automated testing##common.commaListSeparator## security framework##common.commaListSeparator## DevSecOpsAbstrakt
The growth of APIs, including SOAP, REST, and gRPC, has made security a critical priority, with incidents such as those in the 2023 Paloalto report highlighting the financial losses resulting from API breaches. While existing tools focus on REST APIs, gRPC remains underserved, requiring time-consuming manual testing. This research aims to address this gap by proposing a security testing framework tailored to gRPC, integrating automated methods that DevSecOps can use to improve efficiency. gRPC, built on HTTP/2, uses a binary message format and client stubs generated from proto files, creating unique challenges for testing. The methodology involves extracting payloads, generating stubs from proto files, creating test cases, and executing automated tests for vulnerabilities such as SQL Injection and XSS. By analyzing gRPC components and adapting common API security practices, the framework identifies vulnerabilities, streamlines testing, and reduces manual effort. It automates processes such as payload generation and stub generation, enabling faster and more reliable testing compared to traditional methods. Results demonstrate that GSTF reduces testing time by 99% compared to manual methods while maintaining comprehensive coverage. Although some false positives were noted, the framework effectively identifies critical vulnerabilities and integrates seamlessly with DevSecOps pipelines. This approach not only improves testing efficiency by significantly reducing time but also sets a benchmark for secure API development. This study provides a practical solution for enhancing gRPC security, offering significant efficiency gains and establishing a foundation for future advancements in API security automation.
##submission.citations##
Abiona, O. O., Oladapo, O. J., Modupe, O. T., Oyeniran, O. C., Adewusi, A. O., & Komolafe, A. M. (2024). The emergence and importance of DevSecOps: Integrating and reviewing security practices within the DevOps pipeline. World Journal of Advanced Engineering Technology and Sciences, 11(2), 127–133.
Alharbi, S. J., & Moulahi, T. (2023). API security testing: the challenges of security testing for restful APIs. International Journal of Innovative Research in Science Engineering and Technology, 8(5), 1485–1499.
Ali, O. (2024). Popular API Technologies: REST, GraphQL, and gRPC.
Arora, S., Bhardwaj, A., Kukkar, A., & Kaur, S. (2024). A Comparative Analysis of Communication Efficiency: REST vs. gRPC in Microservice-Based Ecosystems. 2024 International Conference on Emerging Innovations and Advanced Computing (INNOCOMP), 621–626.
Basri, M. Z. H., & Hasan, M. Z. (2024). Analysis and security testing for grpc. No. January, 2020–2023.
Chen, J., Wu, Y., Lin, S., Xu, Y., Kong, X., Anderson, T., Lentz, M., Yang, X., & Zhuo, D. (2023). Remote procedure call as a managed system service. 20th USENIX Symposium on Networked Systems Design and Implementation (NSDI 23), 141–159.
Frantz, R., García, J. S., Copik, M., Monroy, I. T., Olmos, J. J. V., Bloch, G., & Di Girolamo, S. (2024). Protocol Buffer Deserialization DPU Offloading in the RPC Datapath. SC24-W: Workshops of the International Conference for High Performance Computing, Networking, Storage and Analysis, 886–895.
Giretti, A. (2022). Create a gRPC-web service from a gRPC-service with ASP. NET Core. In Beginning gRPC with ASP. NET Core 6: Build Applications using ASP. NET Core Razor Pages, Angular, and Best Practices in. NET 6 (pp. 395–418). Springer.
Jangam, S. K., Karri, N., & Muntala, P. S. R. P. (2022). Advanced API Security Techniques and Service Management. International Journal of Emerging Research in Engineering and Technology, 3(4), 63–74.
Khan, I., & Ahamad, M. K. (2024). Enhancing Security and Performance of gRPC-Based Microservices using HTTP/3 and AES-256 Encryption.
Mousavi, Z., Islam, C., Babar, M. A., Abuadbba, A., & Moore, K. (2025). Detecting misuse of security APIs: A systematic review. ACM Computing Surveys, 57(12), 1–39.
Nama, P., Meka, N. H. S., & Pattanayak, N. S. (2021). Leveraging machine learning for intelligent test automation: Enhancing efficiency and accuracy in software testing. International Journal of Science and Research Archive, 3(01), 152–162.
Newton Hedelin, M. (2024). Benchmarking and performance analysis of communication protocols: A comparative case study of gRPC, REST, and SOAP. KTH Royal Institute of Technology.
Owen, A. (2025). Microservices Architecture and API Management: A Comprehensive Study of Integration, Scalability, and Best Practices.
Sangwai, A., Sapale, S., Ghodake, S., & Jadhav, R. (2023). Barricading system-system communication using gRPC and protocol buffers. 2023 5th Biennial International Conference on Nascent Technologies in Engineering (ICNTE), 1–5.
Sharma, S. (2021). Modern API Development with Spring and Spring Boot: Design highly scalable and maintainable APIs with REST, gRPC, GraphQL, and the reactive paradigm. Packt Publishing Ltd.
Sinan, M., Shahin, M., & Gondal, I. (2025). Integrating Security Controls in DevSecOps: Challenges, Solutions, and Future Research Directions. Journal of Software: Evolution and Process, 37(6), e70029.
Štefanič, M. (2021). Developing the guidelines for migration from RESTful microservices to gRPC. Brno.
Tan, Y., & Zhu, Z. (2022). The effect of ESG rating events on corporate green innovation in China: The mediating role of financial constraints and managers’ environmental awareness. Technology in Society, 68, 101906.
Thiyagarajan, G., Bist, V., & Nayak, P. (n.d.). Strengthening gRPC Security in Microservices: A Proxy-based Approach for mTLS, JWT, and RBAC Enforcement. International Journal of Computer Applications, 975, 8887.
Zhang, L., Pang, K., Xu, J., & Niu, B. (2023). High performance microservice communication technology based on modified remote procedure call. Scientific Reports, 13(1), 12141.
##submission.downloads##
Publikované
##submission.howToCite##
Číslo
Sekcia
##submission.license##
##submission.copyrightStatement##
##submission.license.cc.by-sa4.footer##
