Before you begin
Follow the emailed instructions to create an account (if this is your first CASA) and login.
What you will need to submit your CASA:
-
CASA Tier 2 Notification email
-
Industry certifications (If Any)
-
AST configuration file(s), this can be an export of the scanning policy, screenshots of the CWEs scanned, or any evidence showing what you scanned against.
-
AST scan result(s) in plain text (.txt) format.
If you used custom tools:
-
OWASP benchmark results (more info)
CASA Portal Getting Started
For first-time portal users, a Tier 2 CASA will be automatically generated. New assessments can be created anytime from the portal home page.
Opening a case leads to a Getting Started page requesting the following:
-
Project Contact Name (first and last)
-
Project Contact Email
-
Project Contact Phone
-
Legal Entity Name
-
Website
-
Assessment Type ("New" or "Reassessment")
-
Application Scope
-
Google Project ID
This information is used to identify which CASA requirements are in scope for your application and collect the necessary app metadata to issue a Letter of Verification.
NOTE: a CASA must be submitted for verification review within 30 days of initiation. Requests for deadline extension are evaluated on a case by case basis.
CASA Portal Tier 2 Uploads
Upload all evidence collected in Step 1 and Step 2. This includes:
-
Existing CASA-accepted security frameworks
-
AST configuration file(s)
-
AST scan result(s) in xlsx, csv, xml, or pdf format
-
OWASP benchmark results (*only for custom or alternative AST scans)
NOTE: Security frameworks are optional to accelerate your CASA and not required for verification. Revisit Step 1 for more detail.
Need help? Use the integrated "Messages" feature within the portal to communicate directly with a CASA specialist. Email notifications for responses are sent to the email address used to log into the portal.
REMINDER: Code scanning is required for Tier 2 verification. No application code, scan results, or vulnerability findings are shared or disclosed to Google as part of verification.
CASA Portal Self-attestation Survey
The portal will validate the inputs provided and provide set of remaining requirements for self-attestation, organized by CASA chapters. For users accelerating CASA with a large number of security frameworks, self-attestation may not be required. In these cases, the self-attestation survey portion of the portal will not appear.
In most cases, there will be small number of requirements that require self-attestation. For these requirements, the responding 3P developer will need to self-attest to a series of "Yes, No, N/A" questions tied to CASA requirements.
A comment field is available for the developer to justify each response with how the application satisfies or does not satisfy a given requirement. CASA acceptance criteria provide a non-exhaustive set of examples as reference.
NOTE: Do not modify questions automatically populated as being "Fulfilled by prerequisite". These choices are automatically selected by the CASA portal based on responses in the Tier 2 Uploads section.
To qualify for Tier 2 verification, you must:
-
Remediate any failed CWEs that are mapped to CASA requirements
-
Self attest for non scannable CASA requirements
Once all assessment prerequisites have been completed sufficiently, the CASA Portal will prompt a developer to submit for verification.
Finalize