Tier 2 - Recommedened Tools

There are two categories of recommended tools for performing your Tier 2 application security tests: pre-configured and custom tools. The pre-configured scanning tools are OWASP Zed Attack Proxy (ZAP) for dynamic scanning, and Fluid Attacks* for static scanning. Configuration files have been created for these tools and can be found in the pre-configured scanning section below.

You do not have to use the pre-configured tools if you are already scanning your application with any CWE compatible platforms. In this case, you will need to upload a policy specifying which CWEs you are scanning. Further instructions can be found in the custom scanning section below.

* NOTE: The pre-configured static scanning tool is NOT compatible with TypeScript or JavaScript applications. Please use one of the custom static scanning tools if your application is programmed in TypeScript or JavaScript.

Pre-Configured Scans

Scanning Tool Web Mobile Local API Extension Serverless Instructions
OWASP® Zed Attack Proxy (ZAP)

Use the OWASP ZAP ; ZAP Docker container to perform automated dynamic scans (DAST) against your application.  Predefined configuration files already have all of the necessary CWEs included. All you need to do is add it to your environment and Docker run command. Start Here

FluidAttacks Free & Open Source CLI

Leverage FluidAttacks open source CLI to perform automated static (SAST) scans against your application. A Docker image has been created to include all necessary CWEs. Simply spin up the container and run the scan command within it.  Start Here

Custom DAST / SAST Tools

You can use any CWE-compatible app scanning tool(s) that meet the CASA custom scan requirements. A list of commercial and open source options (not comprehensive) are provided below as example CWE compatible tools

Start Here