![tier 2 customize](/static/images/tier2-step2.png)
![start sign](/static/images/sign1.png)
Scan Options
![start sign](/static/images/sign2.png)
Using CASA Recommended Tools
Pre-built configuration files and Docker images are provided to quickly perform approved scans and outputs. This option is highly recommended and greatly reduces the likelihood of a CASA submission being returned for nonconformance.
Simply follow the CASA AST guidance based on which scans are required for your application.
To qualify for Tier 2 verification, results must show:
-
No findings linked to common weakness enumerations (CWEs) with high likelihood of exploit
-
No findings linked to CWEs with medium likelihood of exploit (*only applicable for CASA revalidation)
OWASP guidance from the ASVS Cheat Sheet can be referenced to remediate findings.
![start sign](/static/images/sign3.png)
Using Custom or Alternative AST Tools
3P developers are permitted to use any CWE-compatible app scanning tool(s), provided the tool(s) satisfy the CASA AST requirements for testing and results below. A list of options (not comprehensive) are provided here.
Custom or alternative AST tools must:
-
Meet OWASP Benchmark standard
-
Be configured to scan all CWEs required for your application
-
Provide a pass/fail CWE output in machine readable (e.g., XML, CSV) or PDF format
A full mapping of required CWEs and AST tool combinations can be found in the CASA Tier 2 mapping template.
To qualify for Tier 2 verification, results must show:
-
no findings linked to common weakness enumerations (CWEs) with high likelihood of exploit
-
no findings linked to CWEs with medium likelihood of exploit (*only applicable for CASA revalidation)
OWASP guidance from the ASVS Cheat Sheet can be referenced to remediate findings.