Step 1 | Get to know & accelerate CASA

Stay organized with collections Save and categorize content based on your preferences.
tier 2 customize
start sign

Understand Tier 2

The Tier 2 CASA is aligned to the OWASP Application Security Verification Standard (ASVS) v4.0. There are 134 requirements total, with each mapped to its own set of evidence and acceptance criteria. Most of the ASVS is also associated with a set of CWEs, which grants us greater flexibility in determining whether a requirement has been met.

Simply follow the CASA AST guidance based on which scans are required for your application. 

To qualify for Tier 2 verification, results must show:

  • No findings linked to common weakness enumerations (CWEs) with high likelihood of exploit

  • No findings linked to CWEs with medium likelihood of exploit (*only applicable for CASA revalidation)

OWASP guidance from the ASVS Cheat Sheet can be referenced to remediate findings.

start sign

Requirements are met in 3 ways

In a Tier 2 verified self-assessment, requirements are broadly fall into two categories:

  1. Functional requirements

  2. Non-functional requirements

Functional requirements must be verified using an application security testing (AST) scan.

Non-functional requirements are verified using a combination of existing CASA accepted security certifications and developer self-attestation.

start sign

Accelerate your CASA journey

With a foundational understanding of the CASA and requirements that apply to your app, go see how many can be automated with the CASA Accelerator tool. Simply provide the tool:

  • Your application type

  • Existing CASA-accepted security frameworks (see: guidance)
  • AST tools you use or intend to use (see: guidance)

Tier 2 Accelerator

start sign

Prepare to scan your app

The CASA Accelerator provides a short list of CWEs that must be loaded into an AST scan policy, or displayed in an existing AST scan result. 

It is recommended to export the list of CWEs and linked CWEs for reference in here.

Next Step