
CASA tier 2 gives the developer the flexibility to scan their own application and provide the scan results alongside other evidence to an authorized assessor for verification and receives a letter of verification without the assessor needing to access the application code or infrastructure.
Process Overview
Notification
Tier 2 assessments are initiated by an ADA partner company (e.g., Google), when your application is required to complete an assessment to access data or show compliance with policies you will receive a notification via email indicating you are in scope for Tier 2 assessment.
Scan Your App
Once you receive your notification email you can start scanning your application.
- Follow guidance provided here to scan your application
- Remediate any (CWEs) with high likelihood of exploit
- If you have any valid certification, see if you can submit them to accelerate your review
Submit Results
Follow the emailed instructions to create an account (if this is your first CASA) and login.
What you will need to submit your CASA:
-
CASA Tier 2 Notification email
-
Prior CASA assessment results (*only applicable to applications that have previously received a CASA Tier 2 Letter of Verification)
-
Industry certifications (*only for 3P devs accelerating CASA)
-
AST configuration file(s)
-
AST scan result(s) in plain text (.txt) format.”
Additional upload for custom or alternative AST scan:
Finalize
- Receive recommendations based on industry best practices
- Obtain a Letter of Validation (LOV) to to continue with your application verification