Cloud Application Security Assessment (CASA)

Overview

As complex systems are connected through cloud to cloud integrations, it is important to have a standard way to secure consumer data and privacy. Over the past decade, there has been a large improvement in cloud infrastructure security. However, there are significant security challenges left in the application layer.

CASA has built upon the industry recognized standards coming from OWASP's Application Security Verification Standard (ASVS) to provide a baseline set of security controls which should be implemented in cloud applications. Further, CASA provides a uniform way to perform assessments of these controls when such assessments are required for Applications to access Google User Data. CASA has added a multi-level assessment method to address the potential change in risk based on user, scope, and other application specific items. Though we highly recommend third party assessments, we provide a means for all companies to begin improving their security through a self-assessment program. If you are eligible for this program, Google will reach out directly to initiate next steps.

Benefits

We want to drive the industry to give users the transparency and control they expect when it comes to data security and privacy for the apps they use. Performing security assessments of the cloud applications and back end services will greatly reduce common vulnerabilities, while increasing consumer confidence in the final products and services.

How it works

The CASA framework provides a basis for testing web application technical security controls using the OWASP Application Security Verification Standard (ASVS).

CASA framework
Figure 1: CASA framework

CASA framework provides test guidelines for evaluating Web Apps across fourteen categories of the Application Security Verification Standard 4.0

Security assessment tiers:

CASA recognizes three tiers of assessment for cloud applications

  • Tier three assessments require the developer to complete a self assessment questionnaire, which is then reviewed by a CASA Authorized Lab. This is a paper review of the developer supplied information.
  • Tier two assessments require the developer to complete a self assessment questionnaire, which is then reviewed by a CASA Authorized Lab. This is a paper review of the developer supplied information, with the addition of configuration checks.
  • Tier one assessments include the steps of tier two, plus a full security assessment by the CASA Authorized Lab.
CASA frameworks
Figure 1: CASA framework

The assessments must meet the CASA baseline requirements from the OWASP ASVS 4.0 security standard. The assessments are intended to be time-limited black box audits of the externally accessible interfaces, and do not include cloud infrastructure or internal server communications. It is recommended that developers perform security assessments throughout the development process. However, CASA only requires annual updates to the security assessment report.

It is recommended that developers review and implement all the controls in the level 1 and level 2 ASVS specification, however, ADA only requires a subset of the full ASVS requirements.

Authorized Lab partners:

Start your CASA Assessment by reaching out to the lab partners and submitting the security assessment questionnaire.