gRPC Security: How StackHawk Tests gRPC Services

As the use of gRPC (gRPC Remote Procedure Calls) grows due to its performance benefits and language-agnostic interfaces, the security of these services remains a complex issue. StackHawk engineers Dana White and Austin Pearigen explore the challenges of gRPC security through Dynamic Application Security Testing (DAST), a method that simulates hacker behavior to find vulnerabilities in live applications. They detail how StackHawk has adapted its DAST tool to support gRPC services, which traditionally presented challenges for standard HTTP/1-based scanners, by utilizing a file descriptor set to understand the service schema and employing gRPC's Dynamic Message class to construct test messages. The company has also developed Hawk Perch, a tool to help developers iterate on complex authentication setups and receive real-time feedback. StackHawk's platform not only identifies a variety of vulnerabilities, including SQL injection, but also provides remediation steps, allowing companies to secure their gRPC applications effectively. The platform offers a free trial for users to scan a single application, emphasizing the importance of addressing security concerns early in the development process.