As of June 2024, Beams completed the App Defense Alliance’s Cloud Application Security Assessment (CASA) Tier 2. If you are developing an app that uses Google APIs, you will likely need to go through some type of security assessment or verification. While the verification is beneficial for your users’ security and your brand, the process can sometimes feel like walking in the dark.
I will summarize our journey below and provide you with a to-do list and a progress tracker. Hope it helps!
Overview
Google APIs have three types of scopes:
- Free scopes, like profile info
- Sensitive scopes, like accessing calendar
- Restricted scopes, like email or Google Drive access
Except for free resources, third-party apps like Beams need to go through a verification process.
For sensitive scopes, Google verifies that the app has a legitimate use case for the permissions.
For restricted scopes, Google requires third-party apps to undergo a CASA verification. CASA stands for Cloud Application Security Assessment. It has three tiers, and Google mandates Tier 2 or Tier 3 verification based on the security risk posed by the requested scopes. Beams needs to get a Tier 2 verification.
As of May 2024, an app can achieve Tier 2 verification via an accredited security lab.
For more information on CASA and its tiers, click here.
The high-level process for Tier 2 verification includes:
- Self-scan
- Patching vulnerabilities
- Documenting the security architecture and data classification practices
- Scheduling a scan with a security lab
- Back-and-forth communication with the lab
- Receiving a Letter of Verification (LOV) from Google
Important Resources
- Links from Google
- Fluid attacks
- Fluid attacks is the recommended static scan tool by Google, however the instructions on Google’s page are not up to date. Follow the instructions from fluidattacks
Self Scan
🔗 Copy this checklist and requirements tracker
Getting Ready:
Create a spreadsheet like this, by exporting the official CASA Tier 2 requirements from Google. This is very important in terms of tracking the progress, make sure you comment on each requirement, it will be necessary later on.
On your workspace create folder for casa work
mkdir -p ~/workspace/casa Install Docker
Static Scan:
Static scan is scanning the code and search for vulnerabilities like bad Dockerfile practices or using insecure random number generators or having secrets in the code.
Although Sonar cloud is a much better tool, Fluidattacks is a free alternative and can output result reports that you can use for applying for verification.
cd ~/workspace/casa git clone <your repository>.git Create a fluidattacks configuration and place it in the
~/workspace/casa folder. Sample configurationStay in
~/workspace/casaThe following commands run the scan using fluidattacks’s docker image for their scan tool. Pick the correct image for your CPU architecture.
Little explanation: It mounts
~/workspace/casa folder on your machine to the docker image’s /working-dir folder. So all reference to working-dir folder in the config files refer to ~/workspace/casa on your machine.docker run -v /Users/<your_user>/workspace/casa:/working-dir fluidattacks/cli:arm64 skims scan /working-dir/<fluid-config>.yamlBased on the configuration we provided, these commands will produce two results, you may need them, depending on the requirements of the process in 2025.
fluidattacks-backend-sast.csv
Dynamic scan:
This is the most time consuming part of the self scan procedure. ZAProxy does a comprehensive scan and it takes a long time. It is important to do address as many vulnerabilities as possible between scans to progress quicker.
ZAProxy is also an open source tool that is free and is recommended by Google.
Create a JWT or credentials for a test user on beams api and copy this somewhere.
Create ZAPRoxy configurations similar to the ones I provided below
Update the configuration files according to the info provided in the pages above with the JWT you just copied and the URL of the environment you want to test.
Run dynamic scan for your api.
docker run -v $(pwd):/zap/wrk:rw -t zaproxy/zap-weekly zap-full-scan.py -t <WEB URL> -c /zap/wrk/zap-casa-config.conf -n appscan.context -z "-configfile /zap/wrk/zapconfig-web.conf" -r results-web.html -x results-web.xml -j -dRun dynamic scan for your webapp
docker run -v $(pwd):/zap/wrk:rw -t zaproxy/zap-weekly zap-api-scan.py -t <API URL> -f openapi -c /zap/wrk/zap-casa-config.conf -n apiscan.context -z "-configfile /zap/wrk/zapconfig-api.conf" -r results.html -x results.xml -d Document Security Practices
Your documentation should address the following requirements that you can find in the progress tracker:
- Verify documentation and justification of all the application's trust boundaries, components, and significant data flows.
- Verify that trusted enforcement points, such as access control gateways, servers, and serverless functions, enforce access controls. Never enforce access controls on the client.
- Verify that all sensitive data is identified and classified into protection levels.
- Verify that all protection levels have an associated set of protection requirements, such as encryption requirements, integrity requirements, retention, privacy and other confidentiality requirements, and that these are applied in the architecture.
Work with a security lab
We chose TAC security in 2024 for various reasons. They provided us an interface to
Schedule a scan
Fill out a survey: you’ll be mostly copying comments from this document
Patch or justify vulnerabilities they find.
Reverification
Google requires that we go through pretty much the same process every year, with one difference. We apply for re-verification and not first time verification.
More Resources
Sample fluidattacks configuration
Configuration
Sample ZAProxy configurations
1. Context file
This file gives the scan context, which urls to include/exclude in the scan
apiscan.context
2. ZAP Application config
This is application config for ZAP, we use it to replace each request header’s authorization field with a valid token
zapconfig-api.conf
3. CASA Config
This one is provided by Google and can be downloaded from here. It sets the criteria for the scan, what fails and not.
zap-casa-config.conf
If you have any questions, reach us at team@usebeams.com