Re: How can I obtain a CASA Tier 2 Assessment for ...

ss45 · 05-09-2024 06:25 AM

I'm currently in the process of seeking a CASA Tier 2 Assessment for my project. As part of our application's verification requirements, we've been instructed to complete a CASA Tier 2 security assessment by June

However, I'm unsure about the steps involved in obtaining a CASA Tier 2 Assessment and the best approach to ensure a smooth and efficient process. I would greatly appreciate any guidance or advice on how to proceed in obtaining this assessment for our project.

Marramirez

Hello @ss45,

Take a look at CASA Tier 2 Process. The start process is initiated when your application receives a notification that it is in scope for the Tier 2 Assessment. According to this blog, it triggered where your project uses restrictive OAuth scopes.

If the above option doesn't work, you can contact Google Cloud Support to further look into your case. Hope it helps, thanks!

abdul2

<PII removed by staff> , text me i have done casa tier 2 for 50+ clients till now

vitbilinec

Hey there, I would need to extend my Casa tier 2 deadline ...I can see that in the mail from them but I am not able to find where can I do that after going on the page...Do you know where can I do that?

Thank you :).

abdul2

It is now mandatory through authorized labs (tac security) but still they wont tell you to go with which option, kindly let me know is it web app , mobile app or ... ?

coder02

Hi,

I want to submit my CASA assessment, and to do so, I need to scan my website using the CASA recommendation app. I’m trying to use ZAP software for this, but I haven’t been successful in scanning the app with authentication. Can you help me?

Info: My frontend and backend URLs are different, and I’ve implemented JWT token-based security.

Using ZAP, the scanning report is generated, but in the scan results, the spider only travels one host URL and authentication is never performed.

abdul2

I can guide you on both dast and sast , still my recommendation would be to go with sast specially when dealing with web app as that would save your time in dealing with false positives and the process would be smooth

abdul2

If you want this process to be smooth go with fluidattacks sast as with dast (owasp zap) you will encounter many false positives which will make this process lengthy

abdul2

The best approach would be to do sast using fluid attacks as it minimizes false positives encountered in dast using zap

demo01

I have completed project scanning using FluidAttacks for a CASA Tier 2 assessment. What is my next step? According to the documentation, I need to submit my results, but which portal should I use? Please provide a link. I searched across the internet and found one link, but it doesn't open: (URL Removed by Staff).

I'm very surprised that there are very few blogs available on the internet, and none provide a complete guideline.

rabbat_0102

@abdul2 Im currently trying to get the Certification for my app. I have to go as suggested by google via TAC Security. I would appreciate it if you can answer some of my questions:
1. Do I have to do the tests on my code and just submit the results to TAC Security or do they perform the tests?
2. In case I do them, do I have to submit only my fluid attacks report (so only sast)? They do not require dast?
3. I was wondering what happens if I get the cheapest option of $540, and I need more than 2 Cycle Revalidation (will I even need more than that)?
4. In that case is it better the next option of $720?

Thank you in advance

Artemushka

Hello @rabbat_0102 !
Were you able to find the answers to your questions?
Please share any information you have)

How can I obtain a CASA Tier 2 Assessment for my project?