Our CASA-Approved Static Scanning

Our CLI is an approved AST tool to secure cloud apps

Blog Our CASA-Approved Static Scanning

| 3 min read

Contact us

The App Defense Alliance added Fluid Attacks' CLI application as an approved tool for application security testing (AST). The Alliance is a partnership between Google et al. formed to ensure that Android applications are secure for users. Our open-source offering is free to use for static scanning and has been officially accepted to validate tier 2 requirements of the Alliance's Cloud Application Security Assessment (CASA) framework.

The purpose of the App Defense Alliance

The App Defense Alliance (ADA) emerged in 2019. Its members are Google, ESET, Lookout, Zimperium and, more recently, McAfee and Trend Micro. This partnership is committed to ensuring applications available in Google Play are not ridden with vulnerabilities.

To fulfill its purpose, the ADA requires developers to verify that their applications comply with industry standards for application security. In the case of mobile apps, the ADA launched Mobile Application Security Assessment (MASA). While for cloud applications, it established Cloud Application Security Assessment (CASA).

The MASA framework validates that apps have the security controls defined in the OWASP Mobile Application Security Verification Standard (MASVS). (By the way, we've listed elsewhere the top risks to mobile apps and defined the role of mobile application security testing (MAST), which, if you leverage with us, can check your compliance with MASVS and beyond.)

We are, however, focusing on the CASA framework in this post. So let us explain it a bit more deeply.

Cloud Application Security Assessment (CASA)

The ADA created CASA as an initiative for Android apps to comply with the controls proposed by the OWASP Application Security Verification Standard (ASVS). Its main purpose with this project is to enable secure cloud-to-cloud integrations and boost their extensibility and inclusiveness.

Now, applications differ in things like the sensitivity of the data they access, the amount of users per type of data accessed and their creating company's risk tolerance level. For that reason, the framework is adapted to have a risk-based, multi-tier approach. To put it plainly, the tiers (1, 2 and 3) communicate how strictly security requirements should be followed.

Framework users, such as Google, ask developers to verify their compliance with CASA standards. It's the former, not devs, who determine the tier. Sure, devs can decide to initiate the assessment without having been contacted, but in this modality only passing the tier 3 assessment would get them a valid CASA verification. This tier requires devs to choose an authorized assessor, who would then test the security of the application for a cost.

Teams needing tiers 1 and 2 assessments can use CASA-recommended scanning tools to check their applications for common vulnerabilities. And here's where we've got news!

We are listed under the static scanning procedures. You can use our CASA-approved, open-source CLI application without cost to perform static application security testing (SAST).

Our CLI app can be leveraged for vulnerability scanning

Fluid Attacks' Machine is our CLI application that devs can configure to run source code analysis and assess web applications and other attack surfaces. It performs vulnerability scanning and reports the names of identified vulnerabilities (according to Fluid Attacks' own standardized set) along with their CWE IDs and location in your source code. To learn how to configure and use our CLI tool as a vulnerability scanner, follow our guide.

If a CASA Framework User requests you pass the tier 2 assurance level, be sure to follow the process described by the ADA. Use Machine to scan your application as the Alliance shows in its website.

You'll be requested to revalidate your application once every year. Remember, though, that it's not like during that time security is not a concern. You should think about it always, with every change to your application. By conducting security testing all the time, you can be aware of and fix common vulnerabilities. We can help you with this.

Get started with Fluid Attacks' Security Testing solution right now

Secure your applications with Fluid Attacks

We offer Continuous Hacking, which involves performing AST throughout your software development lifecycle (SDLC). We configure Machine to detect your application's vulnerabilities with accuracy. You can see every finding and several details, including recommendations for fixing the security issues, on our platform. There you can also contact us for support via live chat.

Among the benefits of Continuous Hacking are

  • securing every deployment without delaying your time-to-market;
  • ensuring compliance with several international standards (e.g., PCI DSS, GDPR, CCPA), and
  • enabling your cloud DevSecOps implementation.

You can choose between two paid plans: Essential plan and Advanced plan. Essential plan offers continuous static application security testing (SAST), dynamic application security testing (DAST) and software composition analysis (SCA) with our scanning tool only. Advanced plan adds AI prioritization and continuous manual penetration testing. Our ethical hackers find the vulnerabilities that represent the most risk to applications. That's why we recommend you go beyond automation and favor security testing done through the eyes of attackers.

If you'd like a taste of our solution, start your 21-day free trial of Essential plan and upgrade to Advanced plan whenever you want.

Subscribe to our blog

Sign up for Fluid Attacks' weekly newsletter.

Recommended blog posts

You might be interested in the following related posts.

Photo by Wilhelm Gunkel on Unsplash

Transparency for fewer supply chain attacks

Photo by Sarah Kilian on Unsplash

Develop bank applications that resist DDoS attacks

Photo by Towfiqu barbhuiya on Unsplash

Ensuring compliance and security in the banking sector

Photo by Andre Taissin on Unsplash

With great convenience comes increased risk

Photo by FlyD on Unsplash

Software supply chain management in financial services

Photo by Robs on Unsplash

Consequential data breaches in the financial sector

Photo by Towfiqu barbhuiya on Unsplash

Data protection in the financial sector, tips and more

Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which hundreds of organizations are already enjoying.

Start your 21-day free trial
Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.