Scan Options
Using CASA Recommended Tools
Pre-built configuration files and Docker images are provided to quickly perform approved scans and outputs. This option is highly recommended and greatly reduces the likelihood of a CASA submission being returned for nonconformance.
Simply follow the CASA AST guidance based on which scans are required for your application.
To qualify for Tier 2 verification, results must show:
-
No findings linked to common weakness enumerations (CWEs) with high likelihood of exploit
-
No findings linked to CWEs with medium likelihood of exploit (*only applicable for CASA revalidation)
OWASP guidance from the ASVS Cheat Sheet can be referenced to remediate findings.
Using Custom or Alternative AST Tools
3P developers are permitted to use any CWE-compatible app scanning tool(s), provided the tool(s) satisfy the CASA AST requirements for testing and results below. A list of options (not comprehensive) are provided here.
Custom or alternative AST tools must:
-
Meet OWASP Benchmark standard
-
Be configured to scan all CWEs required for your application
-
Provide a pass/fail CWE output in machine readable (e.g., XML, CSV) or PDF format
A full mapping of required CWEs and AST tool combinations can be found in the CASA Tier 2 mapping template.
To qualify for Tier 2 verification, results must show:
-
no findings linked to common weakness enumerations (CWEs) with high likelihood of exploit
-
no findings linked to CWEs with medium likelihood of exploit (*only applicable for CASA revalidation)
OWASP guidance from the ASVS Cheat Sheet can be referenced to remediate findings.