Understand Tier 2
The Tier 2 CASA is aligned to the OWASP Application Security Verification Standard (ASVS) v4.0. There are 134 requirements total, with each mapped to its own set of evidence and acceptance criteria. Most of the ASVS is also associated with a set of CWEs, which grants us greater flexibility in determining whether a requirement has been met.
Simply follow the CASA AST guidance based on which scans are required for your application.
To qualify for Tier 2 verification, results must show:
No findings linked to common weakness enumerations (CWEs) with high likelihood of exploit
No findings linked to CWEs with medium likelihood of exploit (*only applicable for CASA revalidation)
OWASP guidance from the ASVS Cheat Sheet can be referenced to remediate findings.
Requirements are met in 3 ways
In a Tier 2 verified self-assessment, requirements are broadly fall into two categories:
Functional requirements must be verified using an application security testing (AST) scan.
Non-functional requirements are verified using a combination of existing CASA accepted security certifications and developer self-attestation.
Accelerate your CASA journey
With a foundational understanding of the CASA and requirements that apply to your app, go see how many can be automated with the CASA Accelerator tool. Simply provide the tool:
Your application type
- Existing CASA-accepted security frameworks (see: guidance)
- AST tools you use or intend to use (see: guidance)