Step 1 | Get to know & accelerate CASA

tier 2 customize
start sign

Understand Tier 2

The Tier 2 CASA is aligned to the OWASP Application Security Verification Standard (ASVS) v4.0. There are 134 requirements total, with each mapped to its own set of acceptance criteria. Most of the ASVS is also associated with a set of CWEs, which grants us greater flexibility in determining whether a requirement has been met.



Simply follow the CASA AST guidance based on which scans are required for your application. 

To qualify for Tier 2 verification, results must show:

  • No failed CWEs mapped to CASA requirements on your scan results

OWASP guidance from the ASVS Cheat Sheet can be referenced to remediate findings.


start sign

Requirements are met in 3 ways

In a Tier 2 verified self-assessment, requirements are broadly fall into two categories:

  1. Functional requirements

  2. Non-functional requirements

Functional requirements must be verified using an application security testing (AST) scan.

Non-functional requirements are verified using a combination of existing CASA accepted security certifications and developer self-attestation.


start sign

Accelerate your CASA journey

With a foundational understanding of the CASA and requirements that apply to your app, go see how many can be automated with the CASA Accelerator tool. Simply provide the tool:

  • Your application type

  • Existing CASA-accepted security frameworks (see: guidance)
  • AST tools you use or intend to use (see: guidance)

Tier 2 Accelerator

start sign

Prepare to scan your app

The CASA Accelerator provides a short list of CWEs that must be loaded into an AST scan policy, or displayed in an existing AST scan result. 

It is recommended to export the list of CWEs and linked CWEs for reference in here.

Next Step