Cloud Application Security Assessment (CASA)

A comprehensive and standardized framework developed in collaboration between Leviathan Security Group and the App Defense Alliance (ADA) to assess and harden the security of any application, based on the industry-recognized OWASP Application Security Verification Standard (ASVS).

Reach out by submiting the contact form below
Our team will schedule some time to answer any questions you may have about the CASA process or about bundling with other services Leviathan provides.

All fields marked with * are required

Simplify Your Path to Compliance

Our simplified approach allows us to provide the most appropriate level of assurance for each application, depending on its user, scope, and context.

Offering a white-glove experience to our clients, Leviathan takes care of the pain points involved in the process and delivers clear and transparent results.

With Leviathan, you can trust us to handle your CASA audits with professionalism and efficiency.

Google CASA Cloud Application Security Assessment Process

No Rush (Tier 2)

$3,000

Best for projects with flexible deadlines.

Start your assessment within 30 days

1 round of retesting

Standard (Tier 2)

$4,500

Aligns with standard project timelines, ensuring a timely security evaluation.

Start your assessment within 10 days

1 round of retesting

Priority (Tier 2)

$6,000

The fastest route for projects with imminent deadlines.

Start your assessment within 2 days

1 round of retesting

Tier 1

Developer tested and verified.

Tier 1 is reserved for applications with very low risk profiles as determined by the ADA.

Tier 2

Tested by the developer or an authorized lab and verified by an authorized lab.

Tier 2 allows for the use of sensitive APIs such as reading email and calendar information from your customers.

Tier 3

Tested and validated by an authorized lab.

Tier 3 is reserved for applications with high risk profiles as determined by the ADA.

Tier 3 provides benefits such as inclusion into high value categories on the Google Workspace Marketplace and tags your application as tested and secure according to an authorized third party lab.

Cloud Application Security Assessment (CASA)

The CASA framework utilizes the OWASP Application Security Verification Standard (ASVS), which is regarded as the benchmark in platform security and privacy. Assessments are performed across 14 categories of the ASVS 4.0, covering each core aspect of the application.

Frequently Asked Questions (FAQs)

How do I know I need a cloud application security assessment?

If your app is requesting access to restricted scopes, the OAuth review team will reach out to you when it's time to start the security assessment.

Which OAuth scopes are considered restricted?

Currently, Google considers the following to be “restricted” OAuth scopes:

  • Gmail API

  • Google Drive API

  • Google Fit API

  • Google Chat API

What applications do not require verification and testing?

If your app falls under any of the below categories, it is not mandatory for your app to complete an OAuth verification:

  • Personal use apps

  • Developmental or test apps

  • Apps that only access their own data using a service account

  • Apps only used internally in your Google Workspace or Cloud Identity organization

  • Apps added by an administrator of a Google Workspace from the Google Workspace Marketplace

How often does an application need to be verified?

Apps that access restricted scopes are required to complete an assessment every twelve (12) months. The 12-month period is calculated from the effective date of the app’s previous Letter of Validation.

What happens if you discover a vulnerability in an application?

All vulnerabilities discovered must be corrected before the final Letter of Validation can be provided. Leviathan will work with you to provide recommendations on how to correct the issues discovered and will validate that the corrections were implemented properly.

What if an app needs to request access to other restricted scopes after receiving a Letter of Validation?

Guidelines recommend the use of production and testing environments to avoid impacting your app’s availability to your customers. Follow these steps when you need to add a new restricted scope to your application:

  • Add the new scopes to your user consent screen without implementing the new API features in production

  • Implement the API features in your test environment and request a security validation

  • Leviathan will work with you to test the features in the test environment and provide a Letter of Validation

  • Once the Letter of Validation has been accepted, implement the new API features in your production environment