Google CASA Tier 2 Certification

barbara.saas.project · 2024-07-23T07:54:42.978Z

Hi there,

while moving our app Google API to production (that we use for modify access to Gmail), Google has requested that we obtain a CASA (Cloud Application Security Assessment) Tier 2 Certification.

Has anyone gone through the process and obtain such certification?
Below the message we got from Google requesting that we get certified.

Hello Google Developer,

Thank you for your patience while we reviewed your submission for project xxx. We need you to address the following items for us to continue your app’s verification:

You are required to complete a CASA Tier 2 security assessment for your application (project number: xxx) by the following date: 2024-10-16. This assessment is required annually; to learn more, please visit the CASA website.

CASA assessment is done on a “first-come-first-serve” basis. This can take up to 6 weeks depending on how engaged and responsive you are in the whole process.Hence we strongly suggest you get started with the assessment as soon as possible. To know how, please read the instructions below.

You have the following options to complete your assessment:

#### 1 - Tier 2 Authorized Lab Scan

For your Tier 2 CASA assessment you may contact our CASA authorized preferred partner TAC Security, with whom we have negotiated a discounted rate for Tier 2 CASA assessments. Alternatively, you may also contact any other CASA authorized lab to conduct your Tier 2 CASA Assessment.

#### 2 - Tier 3 CASA Assessment

You can also opt-in to complete a [Tier 3 assessment](Hiérarchisation CASA | App Defense Alliance, by contacting CASA authorized TAC Security, or any other CASA authorized lab.

CASA Tier 3 is a comprehensive assessment that tests the application, the application deployment infrastructure and any user data storage location.

Tier 3 assessments have the following benefits:

** Conducted and validated by the authorized labs giving your application high assurance of compliance with CASA standard*
** If your application is listed on the Google WorkSpace Marketplace you will receive an independent security verification badge*

For any questions on the Tier 2 or Tier 3 Authorized Lab Scan/Assessment, or if you need a due date extension, please reach out to your CASA authorized lab.

### Useful resources

Refer to the following documentation for more information:

** CASA Website*
** CASA Tiering*
** Other Tiers Process*

Important! Once you have addressed the issues above, reply directly to this email to confirm. You must reply to this email after fixing the highlighted issues to continue with the app verification process.

Need to make changes to your verification request?

Please make direct changes on the Cloud Console. Save and submit the changes when finished.

No longer need access to these scopes?

Please reply to this email to cancel the verification request.

Need other help?

For more information on OAuth Verification, you can read the terms or policies for the APIs or products your app uses, as well as the following resources:

** Link to OAuth Verification FAQ*

Thank you,

The Third Party Data Safety Team

Zeroic · 2024-07-23T08:15:37.739Z

cc @Alexis.Barker @theo.goldberg - devs integrating with core Google services generally get similar sounding emails from Google. Maybe you could help us out with this?
Thanks

redvivi · 2024-07-23T15:47:24.654Z

barbara.saas.project:

Has anyone gone through the process and obtain such certification?

What are your questions?

Alexis.Barker · 2024-07-23T22:16:29.286Z

Hi @Zeroic! Do you mind elaborating a bit more on how we can help?

barbara.saas.project · 2024-07-24T07:18:24.705Z

Hi @redvivi @Zeroic and @Alexis.Barker, thanks for your interest.

My/our questions are:

can we obtain the CASA Tier 2 certification being our app based on Bubble?
It looks like - again, we’re new to this so we don’t know - to obtain the certification you need to submit your source code in zip format, but we do not have any source code, as the platform is developed on Bubble.
do you know any agencies that have certified any Bubble apps

After contacting Bubble support we wanted to know if anyone with a Bubble app ever obtained a CASA Tier 2 Certification. On the assumption that if other Bubble apps had been certified we’d been able to obtain the certification too.

All of this is to commission the work (some 500 USD) to the certification-issuing partner with confidence that we can actually be certified.

Thanks for any info/guidance you can provide.

redvivi · 2024-07-24T09:58:22.391Z

barbara.saas.project:

an we obtain the CASA Tier 2 certification being our app based on Bubble?
It looks like - again, we’re new to this so we don’t know - to obtain the certification you need to submit your source code in zip format

The CASA Tier 2 for this kind of web app can be done through DAST - dynamic testing which does not require source code.

barbara.saas.project:

do you know any agencies that have certified any Bubble apps

Mine - before they require now to go through Authorised Labs (which basically are doing the same tests as mine).

barbara.saas.project:

All of this is to commission the work (some 500 USD) to the certification-issuing partner with confidence that we can actually be certified.

In any case you always have 2 steps, the first one is the testing of your app, you get a report with open items to fix/justify and then after validation you get the certification. Any any case, no certification process guarantees that you WILL get certified, however I can testify that Bubble platform is no blocker for CASA Tier 2 Assessment.

barbara.saas.project · 2024-08-02T10:58:56.567Z

Hello @redvivi
We got our first report from the CASA Tier 2 certification.
There are the issues that they reported to us: CASA Tier 2 Report - Google Sheets

To us they all like things we cannot fix ourselves. How should we proceed? Do you any suggestions? Thanks a lot.

matt15 · 2024-08-08T17:27:03.613Z

@barbara.saas.project I am currently going through this right now. Did you use TAC Security (Google’s preferred testing partner) for this report?

Did the security audit pass / did your app end up getting approved by Google?

This is extremely important given how many apps use Google APIs with sensitive scopes.

system · 2024-10-01T07:54:42.124Z

This topic was automatically closed after 70 days. New replies are no longer allowed.