One of the Original 3 Labs Since 2019

ADA Assessments from the Team
That Built the Standard

One of only three labs doing OAuth verification for Google since 2019. We co-authored the ADA standards with Google, Microsoft, and Meta. Get certified by the experts who wrote the requirements.

ADA Authorized Lab
Google
Microsoft
Meta
Singapore CSA Partner
Get Your Assessment Started View Assessment Profiles
2019 OAV Lab Since
3 Original Labs
4 Standard Contributors
365 Day Certification
Understanding ADA

What is the App Defense Alliance?

The App Defense Alliance (ADA) is a security certification program created by Google, Microsoft, and Meta to ensure apps accessing their platforms meet rigorous security standards.

Who Needs ADA Certification?

If your application accesses restricted or sensitive data scopes from major platforms, you'll need ADA certification to maintain or obtain API access.

Required for apps that:

  • Read Gmail content or send emails via Google APIs
  • Access Google Drive, Calendar, or Contacts data
  • Integrate with Microsoft 365 services
  • Connect to Meta platforms with elevated permissions
  • Handle OAuth authentication for restricted scopes
Examples: CRMs like HubSpot, automation tools like Zapier, email marketing platforms, calendar integrations, document management systems

Program Evolution

ADA represents the evolution of Google's original OAuth verification program, now expanded to include multiple major platforms.

2019
Google OAV Launched

OAuth App Verification program starts with 3 labs: Leviathan, Bishop Fox, NCC Group

2020
Legacy ADA (Google)

OAV evolves into the App Defense Alliance under Google

Now
Current ADA (Multi-Platform)

Google, Microsoft, and Meta join forces. Expanded to Web, Mobile, and Cloud profiles

Singapore's Cyber Security Agency (CSA) has adopted ADA standards, making certification valuable for companies operating in the APAC region.
Assessment Options

Three Assessment Profiles

ADA defines three distinct security assessment profiles, each aligned with industry-leading standards. Choose the profile that matches your application type.

Most Common

Web App Profile

Based on OWASP ASVS

Comprehensive security testing for web applications and APIs that integrate with platform APIs via OAuth.

Best For: Web apps, REST APIs, SaaS platforms, OAuth integrations
Assessment Covers:
  • Authentication & Session Management
  • Access Control & Authorization
  • Cryptography & Data Protection
  • Input Validation & Output Encoding
  • Security Configuration
  • Error Handling & Logging
Learn More

Mobile App Profile

Based on OWASP MASVS

Security assessment for native and hybrid mobile applications on Android, iOS, and Meta Quest platforms.

Best For: Android apps, iOS apps, Meta Quest apps, Hybrid apps
Assessment Covers:
  • Secure Storage & Data Protection
  • Cryptographic Implementation
  • Authentication & Authorization
  • Network Communication Security
  • Platform-Specific Security
  • Code Quality & Resilience
Learn More

Cloud Config Profile

Based on CIS Benchmarks

Infrastructure security review for cloud environments hosting applications that integrate with platform APIs.

Best For: AWS, Google Cloud Platform, Microsoft Azure deployments
Assessment Covers:
  • Identity & Access Management
  • Compute Instance Security
  • Logging & Monitoring
  • Network Security Controls
  • Storage & Database Security
  • Encryption & Key Management
Learn More
Not sure which profile you need? Schedule a scoping call and we'll help you determine the right assessment.
Our Approach

We Provide AL2 Assessments Exclusively

ADA defines two assurance levels. We exclusively offer AL2 (Lab Assessment) because we believe thorough, hands-on security testing delivers the highest value.

Not Offered
AL1

Verified Self Assessment

You test your own application and submit evidence. The lab validates your documentation.

  • Self-conducted testing
  • Evidence-based validation
  • Documentation review only
  • Lower assurance for platforms
We don't offer AL1 because we believe it doesn't provide sufficient security assurance.
What We Offer
AL2

Lab Assessment

Our security experts actively test your application. Comprehensive hands-on evaluation by experienced assessors.

  • Comprehensive hands-on testing
  • Experienced security assessors
  • Higher platform assurance
  • Deeper security findings
  • Required for sensitive scopes

Why AL2 Matters

Higher Trust

Platforms and customers trust lab-verified results over self-assessments

Real Testing

Active testing finds vulnerabilities that documentation review misses

Enterprise Ready

Required for sensitive scopes and enterprise-level platform access

Better Security

Actionable findings that actually improve your security posture

Investment

Transparent Pricing. No Surprises.

Our AL2 Lab Assessment pricing is based on application complexity. Here are our typical ranges.

Assessment Profile AL2 Lab Assessment Typical Timeline
Web App Profile OWASP ASVS
$X,XXX - $XX,XXX 2-4 weeks View Details
Mobile App Profile OWASP MASVS
$X,XXX - $XX,XXX 2-4 weeks View Details
Cloud Config Profile CIS Benchmarks
$X,XXX - $XX,XXX 1-3 weeks View Details
Web App Profile OWASP ASVS
AL2 Assessment $X,XXX - $XX,XXX
Timeline 2-4 weeks
View Details
Mobile App Profile OWASP MASVS
AL2 Assessment $X,XXX - $XX,XXX
Timeline 2-4 weeks
View Details
Cloud Config Profile CIS Benchmarks
AL2 Assessment $X,XXX - $XX,XXX
Timeline 1-3 weeks
View Details

Final pricing varies based on application complexity, number of endpoints, and authentication flows. Each profile page includes detailed pricing tiers.

Get a Custom Quote
The Process

How It Works

Our streamlined AL2 assessment process gets you certified efficiently while maintaining rigorous security standards.

1

Scoping Call

We discuss your application architecture, determine the appropriate assessment profile, and provide a detailed quote. No commitment required.

Duration: 30-minute call
2

Preparation

Complete our assessment questionnaire, provide application access credentials, and share any relevant documentation about your architecture.

Your effort: 1-2 hours
3

Assessment

Our security engineers perform comprehensive hands-on testing of your application against the ADA requirements. This is where the real work happens.

Duration: 1-3 weeks (varies by complexity)
4

Remediation

Receive a detailed findings report with actionable remediation guidance. Fix any issues, and we'll re-test at no additional cost to verify the fixes.

Includes: Re-testing for identified issues
5

Certification

We submit your results to the Certification Body. Once approved, you receive your official ADA certificate, valid for 365 days.

Validity: 365 days
Typical End-to-End Timeline 2-6 weeks Depending on application complexity and remediation requirements
The Difference

Why Choose Leviathan

We're not just an authorized lab. We helped build the program from day one.

Since 2019

We've Been Here Since Day One

In 2019, Google launched OAuth App Verification with only three authorized labs: Leviathan and two other. We were there at the beginning.

When OAV evolved into the App Defense Alliance, we continued as an authorized lab. Now, with Google, Microsoft, and Meta all part of ADA, we remain one of the most experienced labs in the program.

2019 Google OAV
2020 Legacy ADA
Now Multi-Platform ADA
Standard Authors

We Wrote the Standard

Leviathan team members are credited contributors to all ADA assessment specifications. We didn't just learn the standard; we helped create it.

Verifiable in public ADA documentation

Remediation Guidance

We don't just tell you what failed. We provide actionable guidance on how to fix issues and pass your assessment. Our goal is your success, not just a list of findings.

  • Detailed fix recommendations
  • Code examples where applicable
  • Re-testing included

White-Glove Experience

Work directly with the security engineers assessing your application. No account managers or support tickets standing between you and answers.

  • Direct engineer access
  • Responsive communication
  • Questions answered promptly

Already CASA Certified?

ADA is the evolution of CASA, now with broader platform coverage including Microsoft and Meta. We've been doing CASA assessments since the beginning and helped design ADA as its successor. Your experience and any existing security work will carry forward.

Discuss Your Transition
Questions

Frequently Asked Questions

What's the difference between CASA and ADA?

ADA (App Defense Alliance) is the evolution of CASA (Cloud Application Security Assessment). While CASA was focused on Google's ecosystem, ADA now includes Google, Microsoft, and Meta as participating platforms.

ADA also introduces a more structured approach with three distinct assessment profiles (Web App, Mobile App, Cloud Config) and two assurance levels (AL1 and AL2). The security requirements are based on industry standards like OWASP ASVS, OWASP MASVS, and CIS Benchmarks.

What's the difference between AL1 and AL2?

AL1 (Verified Self Assessment): You conduct your own security testing and submit evidence to the lab for validation. The lab reviews your documentation but doesn't actively test your application.

AL2 (Lab Assessment): Security experts at the lab perform comprehensive hands-on testing of your application. This provides higher assurance and typically uncovers more issues.

We only offer AL2 assessments. We believe thorough, hands-on testing by experienced assessors delivers the most value and reliable certification.

How long is ADA certification valid?

ADA certification is valid for 365 days from the date of issuance. After this period, you'll need to undergo a new assessment to maintain your certification status.

We recommend starting the renewal process 4-6 weeks before expiration to ensure continuous certification.

What if we fail the assessment?

If issues are found during assessment, you'll receive a detailed report with:

  • Clear description of each finding
  • Severity classification
  • Actionable remediation guidance
  • Code examples where applicable

Re-testing is included in your assessment fee. Once you've addressed the findings, we'll verify the fixes and continue toward certification. Our goal is to help you pass, not just find problems.

Can we combine multiple assessment profiles?

Yes. Many applications require multiple profiles. For example, a SaaS platform might need:

  • Web App Profile for the main application
  • Mobile App Profile for iOS/Android apps
  • Cloud Config Profile for the cloud infrastructure

We offer bundled pricing for multiple profiles and can coordinate assessments to run efficiently. Contact us for a custom quote.

How does ADA certification help with Google API access?

Google requires ADA certification for applications requesting access to restricted or sensitive OAuth scopes. Without certification, your app may be denied access to these APIs or face usage limitations.

Examples of restricted scopes that require certification:

  • Gmail API (reading/sending emails)
  • Google Drive API (accessing user files)
  • Google Calendar API (reading events)
  • Google Contacts API
What happens if we make significant changes during the validity period?

Significant changes to your application's security-relevant functionality may require a reassessment. This includes:

  • Major changes to authentication or authorization flows
  • New integrations with sensitive data sources
  • Significant architectural changes
  • Changes to data handling or storage mechanisms

If you're unsure whether a change requires reassessment, contact us for guidance. We offer delta assessments at reduced cost for minor changes.

What's the history of this certification program?

The program has evolved significantly:

  • 2019: Google launched OAuth App Verification (OAV) with three authorized labs: Leviathan Security Group, Bishop Fox, and NCC Group
  • 2020: OAV evolved into CASA (Cloud Application Security Assessment), expanding scope
  • 2023-Present: CASA evolved into ADA (App Defense Alliance) with Google, Microsoft, and Meta as participating platforms

Leviathan has been part of this program since its inception in 2019, and our team members have contributed to the development of all current ADA specifications.

Have a question not answered here?

Contact Us
Get Started

Ready to Get Certified?

Whether you're facing a deadline from Google or proactively securing your application, we're here to help you through the certification process.

Schedule a Scoping Call 30 minutes to discuss your needs
Book Now
Email Us Directly ada@leviathansecurity.com
Send Email
No commitment required
Transparent pricing
Response within 24 hours