Our CASA-Approved Static Scanning

Our CLI is an approved AST tool to secure cloud apps

solution Our CASA-Approved Static Scanning

December 23, 2022

The App Defense Alliance added Fluid Attacks' CLI application as an approved tool for application security testing (AST). The Alliance is a partnership between Google et al. formed to ensure that Android applications are secure for users. Our open-source offering is free to use for static scanning and has been officially accepted to validate tier 2 requirements of the Alliance's Cloud Application Security Assessment (CASA) framework.

The purpose of the App Defense Alliance

The App Defense Alliance (ADA) emerged in 2019. Its members are Google, ESET, Lookout, Zimperium and, more recently, McAfee and Trend Micro. This partnership is committed to ensuring applications available in Google Play are not ridden with vulnerabilities.

To fulfill its purpose, the ADA requires developers to verify that their applications comply with industry standards for application security. In the case of mobile apps, the ADA launched Mobile Application Security Assessment (MASA). While for cloud applications, it established Cloud Application Security Assessment (CASA).

The MASA framework validates that apps have the security controls defined in the OWASP Mobile Application Security Verification Standard (MASVS). (By the way, we've listed elsewhere the top risks to mobile apps and defined the role of mobile application security testing (MAST), which, if you leverage with us, can check your compliance with MASVS and beyond.)

We are, however, focusing on the CASA framework in this post. So let us explain it a bit more deeply.

Cloud Application Security Assessment (CASA)

The ADA created CASA as an initiative for Android apps to comply with the controls proposed by the OWASP Application Security Verification Standard (ASVS). Its main purpose with this project is to enable secure cloud-to-cloud integrations and boost their extensibility and inclusiveness.

Now, applications differ in things like the sensitivity of the data they access, the amount of users per type of data accessed and their creating company's risk tolerance level. For that reason, the framework is adapted to have a risk-based, multi-tier approach. To put it plainly, the tiers (1, 2 and 3) communicate how strictly security requirements should be followed.

Framework users, such as Google, ask developers to verify their compliance with CASA standards. It's the former, not devs, who determine the tier. Sure, devs can decide to initiate the assessment without having been contacted, but in this modality only passing the tier 3 assessment would get them a valid CASA verification. This tier requires devs to choose an authorized assessor, who would then test the security of the application for a cost.

Teams needing tiers 1 and 2 assessments can use CASA-recommended scanning tools to check their applications for common vulnerabilities. And here's where we've got news!

We are listed under the static scanning procedures. You can use our CASA-approved, open-source CLI application without cost to perform static application security testing (SAST).

Our CLI app can be leveraged for vulnerability scanning

Fluid Attacks' Machine is our CLI application that devs can configure to run source code analysis and assess web applications and other attack surfaces. It performs vulnerability scanning and reports the names of identified vulnerabilities (according to Fluid Attacks' own standardized set) along with their CWE IDs and location in your source code. To learn how to configure and use our CLI tool as a vulnerability scanner, follow our guide.

If a CASA Framework User requests you pass the tier 2 assurance level, be sure to follow the process described by the ADA. Use Machine to scan your application as the Alliance shows in its website.

You'll be requested to revalidate your application once every year. Remember, though, that it's not like during that time security is not a concern. You should think about it always, with every change to your application. By conducting security testing all the time, you can be aware of and fix common vulnerabilities. We can help you with this.

Get started with Fluid Attacks' Security Testing solution right now

Secure your applications with Fluid Attacks

We offer Continuous Hacking, which involves performing AST throughout your software development lifecycle (SDLC). We configure Machine to detect your application's vulnerabilities with accuracy. You can see every finding and several details, including recommendations for fixing the security issues, on our Attack Resistance Management (ARM) platform. There you can also contact us for support via live chat.

Among the benefits of Continuous Hacking are

  • securing every deployment without delaying your time-to-market;
  • ensuring compliance with several international standards (e.g., PCI DSS, GDPR, CCPA), and
  • enabling your cloud DevSecOps implementation.

You can choose between two paid plans: Machine and Squad. Machine Plan offers continuous static application security testing (SAST), dynamic application security testing (DAST) and software composition analysis (SCA) with our tool only. Squad Plan adds AI prioritization and continuous manual penetration testing. Our ethical hackers find the vulnerabilities that represent the most risk to applications. That's why we recommend you go beyond automation and favor security testing done through the eyes of attackers.

If you'd like a taste of our solution, start your 21-day free trial of Machine Plan and upgrade to Squad Plan whenever you want.

Share

Subscribe to our blog

Sign up for Fluid Attacks’ weekly newsletter.

Recommended blog posts

You might be interested in the following related posts.

Photo by Saketh Upadhya on Unsplash

Get an overview of vulnerability assessment

Photo by Anchor Lee on Unsplash

Benefits of continuous over point-in-time pentesting

Photo by Nik Shuliahin on Unsplash

For which security standards is pentesting a must-have?

Photo by Thomas Griggs on Unsplash

Pentesting is a system-agnostic approach to security

Photo by sebastiaan stam on Unsplash

Injecting JS into one site is harmful, into all, lethal

Photo by Dmitry Ratushny on Unsplash

Differences between these security testing approaches

Photo by Jeff Lemond on Unsplash

How BAS solutions work, their importance and benefits

Photo by Hunters Race on Unsplash

Disclosure rules proposed by SEC may soon take effect

Start your 21-day free trial

Discover benefits of our Continuous Hacking solution, which hundreds of organizations are already enjoying.

Start your 21-day free trial