After Submitting an Assessment
An email notification will be sent to the email used to log into the CASA portal when results are ready for review. Once verification results have been determined, specialists will explain the output and any remediation required.
There are broadly three result outcomes:
Remediation required, or
CASA Tier 2 passed
CASA Tier 2 failed
If remediation is required, CASA specialists will provide remediation guidance directly viewable in the results dashboard. For any follow-ups or near-time support, the specialists can be reached using the "Messages" feature within the CASA portal.
If the app passed CASA Tier 2 verification, congratulations! Proceed to post your trust badge.
Applications only fail CASA Tier 2 verification if 3P developers: (1) fail to meet the deadline for completion, or (2) acknowledge nonconformity with CASA requirements and choose to forego verification.
Understand Your Results
CASA specialists will review any failed requirements and bucket them according to thematic findings and CWE ranking. The ultimate result of a CASA will be based on these failed CWEs.
Requirements will be treated as follows:
Any failed requirements with a CWE ranking of High will result in a failed assessment until fixed.
Any failed requirements with a CWE ranking of Medium will be documented internally and relayed to the developer to fix for reverification.
Any failed requirements with a CWE ranking of Low will be relayed to the developer for educational purposes only. Low CWEs are not required for verification.
Flip Your Bits
You will be able to view assessment results and address any requirements directly within the portal.
CASA specialists will provide recommendations and hands-on support for any failed requirements, based on OWASP best practices.
Follow the provided guidance to remediate any requirements with a High rating and resubmit your CASA with updated responses.
Note: If this is a reverification for an app, then any Medium failed requirements will also need to be remediated. Otherwise, you'll have a year to fix these findings, and can log in to your portal to review them at any time.
If the assessment was passed, you will receive a Letter of Assessment (LOA)