Cloud Application Security Assessment (CASA)


As complex systems are connected through cloud to cloud integrations, it is important to have a standard way to secure consumer data and privacy. Over the past decade, there has been a large improvement in cloud infrastructure security. However, there are significant security challenges left in the application layer.

CASA has built upon the industry recognized standards coming from OWASP's Application Security Verification Standard (ASVS) to provide a baseline set of security controls which should be implemented in cloud applications. Further, CASA provides a uniform way to perform assessments of these controls when such assessments are required for Applications to access Google User Data. CASA has added a multi-level assessment method to address the potential change in risk based on user, scope, and other application specific items. Though we highly recommend third party assessments, we provide a means for all companies to begin improving their security through a self-assessment program. If you are eligible for this program, Google will reach out directly to initiate next steps.


We want to drive the industry to give users the transparency and control they expect when it comes to data security and privacy for the apps they use. Performing security assessments of the cloud applications and back end services will greatly reduce common vulnerabilities, while increasing consumer confidence in the final products and services.

How it works

The CASA framework provides a basis for testing web application technical security controls based on the OWASP Application Security Verification Standard (ASVS).

CASA framework
Figure 1: CASA framework

CASA framework provides test guidelines for evaluating Web Apps across fourteen categories of the Application Security Verification Standard 4.0

Security assessment tiers:

CASA recognizes three tiers of assessment for cloud applications

CASA assessments
Figure 2: CASA assessment tiers

The assessments must meet the CASA baseline requirements from the OWASP ASVS 4.0 security standard. The assessments are intended to be time-limited functional audits of the externally accessible interfaces, and do not include cloud infrastructure or internal server communications. It is recommended that developers perform security assessments throughout the development process. However, CASA only requires annual updates to the security assessment report.

It is recommended that developers review and implement all the controls in the level 1 and level 2 ASVS specification, however, ADA only requires a subset of the full ASVS requirements.

Authorized Lab partners:


GDS Ltd-An Aon Group
Bishop Fox
Leviathan Security
NCC Group
NST Cyber
Orange Cyberdefense South Africa (Pty) Ltd
Prescient Security LLC
TAC Security