As global ecosystems of applications, platforms, and systems evolve and connect through complex cloud-to-cloud integrations, an established and industry-recognized application securitization standard becomes evermore paramount to guarding consumer data and privacy.
Over the past decade there have been significant investments and improvements in securing cloud infrastructure, but significant challenges remain in the application layer. Particularly at risk are non-hardened applications exchanging data with secure cloud infrastructure through trusted data sharing integrations. Thus introducing; the Cloud Application Security Assessment (CASA).
CASA has built upon the industry-recognized standards of the OWASP's Application Security Verification Standard (ASVS) to provide a consistent set of requirements to harden security for any application. Further, CASA provides a uniform way to perform trusted assurance assessments of these requirements when such assessments are required for applications with potential access to sensitive data.
There is no “one size fits all solution” when it comes to evaluating application risk to securing user data. The CASA assessment acknowledges this reality and is adapted with a risk-based, multi-tier assessment approach to evaluate application risk based on user, scope, and other application specific items.
We have a collective responsibility across the industry to provide users the transparency and control they expect when it comes to data security and privacy for the apps they use. Assessing the security of cloud applications and supporting infrastructure will greatly reduce common vulnerabilities, while increasing consumer confidence in the final products and services.
The primary mission of CASA is to increase the extensibility and inclusiveness of cloud-to-cloud integrations, and thus simultaneously increasing the security of consumer data. With this aspiration, the CASA assessment framework was built on the principles of:
Industrialized standardizationCASA is based 100% on the OWASP ASVS; no proprietary requirements or confusing security jargon
ConsistencyAll applications are treated equally against CASA requirements and assessment processes
TransparencyAcross requirements, assessment, and authorized assessors… for everyone
Risk-basedTesting is no longer one size fits all, assurance and level of security review is based on risk tier