What is the ADA CASA Program?
ESOF AppSec ADA CASA is a comprehensive service provided by TAC Security, the only Google Preferred and Recommended ADA CASA Partner. It ensures compliance with ADA CASA (App Security Assessment) requirements and offers various tiers of assessment plans tailored to meet different application security needs.
Why choose TAC security for ADA CASA needs?
TAC Security is the only Google Preferred and Recommended ADA CASA Partner, offering verified third- party assessment services with over a year-long association. They provide fast turnaround times with a 100% success rate, step-by-step guidance through the process, and are endorsed by Google.
What are the available plans for ESOF AppSec ADA CASA and what do they include?
ESOF AppSec ADA CASA offers Four plans: Basic, Premium, Enterprise Tier 2 and Enterprise Tier 3.
Basic – Includes an annual Application Security Assessment for Tier 2, two cycle revalidations, support for vulnerability remediation, LOV issued by TAC Security, and a discounted price of $540 per application.
Premium – Includes an annual Application Security Assessment for Tier 2, unlimited Revalidation, dedicated support for patch management, LOV by TAC Security, and a discounted price of $720 per application.
Enterprise Tier 2 – Includes an annual Application Security Assessment for Tier 2, unlimited reverification for tier 2 assessment (validity 10 months), unlimited Revalidation, dedicated support for patch management, LOV by TAC Security, and a discounted price of $1800 per application.
Enterprise Tier 3 – Includes an annual Application Security Assessment for Tier 3, unlimited Revalidation, a Dedicated Account Manager, LOV by TAC Security, Google Workplace Security Badge – For Marketplace Apps and a discounted price of $4500 per application.
What’s the recommended plan by TAC Security for Tier 2 assessment?
We recommend ESOF AppSec ADA CASA Enterprise Tier 2 plan. This is our customer’s first choice because you can conduct assessments year-round. If you add new features and Google recommends a reassessment, you will not incur any additional charges. This plan includes CASA reassessment at no extra cost ( validity 10 months), allowing for adjustments without financial concern.
What do you mean by Revalidation and Reverification?
Revalidation means – Retesting after patching all the found vulnerabilities.
Reverification means – If you add new features and Google recommends a reassessment, you will not incur
any additional charges. This plan includes CASA reassessment at no extra cost ( validity 10 months),
allowing for adjustments without financial concern
Are plans one-off payments or automatically renewing? Are there any hidden fees?
Our plans are one-off payments, and there are no hidden fees associated with our services.
Why should organizations trust TAC Security for their ADA CASA assessments?
TAC Security, as the only Google Preferred and Recommended ADA CASA Partner, is a global leader in risk and vulnerability management with a 100% success rate for all its Google Security Assessments. They offer vast expertise, undivided attention to each project, and accurate guidance tailored to specific cybersecurity requirements.
Are all vulnerabilities required to be patched to successfully pass the Google CASA assessments?
Yes, successful completion of the Google CASA assessment necessitates the patching of all identified vulnerabilities.
How can I get in touch with support for assistance with Payment, Scan Status, LOV, Sign Up, etc?
For any inquiries regarding payment, scan status, LOV, or login, please reach out to casasupport@tacsecurity.com
What hours is TAC Security CASA support team available?
TAC CASA Support team operates during business hours from 7 am to 3 pm EST on weekdays (Mon- Fri).
What is the estimated duration for DAST/SAST scanning?
The timeframe for DAST/SAST scanning usually varies from 1 -2 business days, depending on the size and complexity of the application’s codebase.
Does everything that is marked as ‘low risk’ within the pdf needs to be solved? And do we need to submit the app for a second re-scan?
Yes, that’s correct. You need to patch all the vulnerabilities before you go to the second scan.
If the assessment is passed successfully how is the communication with Google informing about the assessment has been successful?
Our team will submit the Letter of Validation (LOV) from their end to Google & Google will update you with the verification email within 5-6 business days.
Can you specify the materials and the cooperation required from our end in for this verification?
Yes, the process is Google Vendor CASA assessment.
Please find your participation for the process below –
Pre-requisite information (Login credentials, URL, flow diagram, Google scope that is used details, etc.)
Guided Remediation (You would be patching the vulnerabilities found with the best practices
shared along with it, the team will guide you through email for any if needed).
This is all you are expected to do, the rest of the process is completely handled by TAC Security including the issue of LOV to Google.
May I confirm this is the assessment for this year only?
Yes, this assessment is for this year only, next year you would have to go through the process again.
How the solution will be proposed for code review? We do not want to upload any source code for external?
You can opt for a different approach where you can install the Fluid attacks tool in your local system through the configuration file & setup instructed on this page https://appdefensealliance.dev/casa/tier-2/ast- guide/static-scan & scan the source code through this. Then you can share the output i.e. CSV report to us through email which we will be reflecting to you on your ESOF CASA dashboard.
We purchased 1 application license. If we need to purchase two licenses, can you help me with that?
You can purchase another license from the https://casa.tacsecurity.com/. Please use the different email
address for this purchase as there can be only one account per email address.
How can we submit for a re-scan?
Please follow the below steps to go for rescan.
- In the scan list, you will see a Request button under revalidation tab.
- Login into the platform.
- Go to the top left where you will see the scan list option.
How is the actual scanning performed? Do I have to share source code with you? If it is an android mobile app.
To perform the CASA Assessment for Android App, please choose SAST scan & then upload the source code of your app to initiate the scan.
I notice on the ESOF Dashboard, a new “CRQ” Cyber Risk Quantification Form item has been added. Should I fill out this information?
It is not required. This feature is not related to CASA assessment.
Where to find the GCP Project Number?
You will find it from the email you received from Google regarding the CASA assessment or in the google cloud console setting.
What is Project ID?
Project ID is our platform’s license ID. You can create a scan by selecting it.
What encryption standards do you use to protect our source code during transmission and at rest?
TLS, all communications take place over an https channel.
How do you control and monitor access to our source code? Who has access to it and under what conditions?
The source code is maintained on a cloud server temporarily till the time the scanning is active. Once the scanning is complete and the results are generated, the source code is deleted.
The access to the server is very restricted.
If humans has access to it and not just are automated platform, will they use MFA? Will they at any point download the source code to their laptops and personal devices?
It is the automated platform who has access to the code, however someone who can access the server will also be able to access the source code files while they reside on the server. This server access is again very restricted and has several approval layers.
How long do they retain our source code, and what are the policies for its deletion after the testing is complete?
The source code is retained till the time the scanning is completed.
Once completed the source code is deleted through an automated job on the server.
Do you maintain access logs and activities related to our source code? How long are these logs kept, and who can review them?
Logs are maintained for the following activities:
- Whether uploading of source code was successful.
- Whether scanning was successfully.
- Any errors reported during scanning.
No part of the source code is revealed within the logs.
What security measures are in place for your testing environment to prevent unauthorised access or breaches?
Ranges from regular security tests, proper configuration of inbound and outbound rules for our cloud
environment and server hardening.
How do you ensure the integrity of our source code throughout the testing process? Are there measures in place to detect and prevent tampering?
The code remains unmodified throughout the testing process. The client uploads the code in a zip file, which is then extracted into a randomized folder which is scanned. This randomized folder is then deleted after the scanning completed.
Are there any measures to anonymise or pseudonymise sensitive data within our source code during analysis?
The data remains anonymous to any engineer/developer maintaining the platform. However the data cannot be modified for the scanner.
What are your backup procedures for our source code? How often our backup performed, and how are they secured?
We only backup server configurations and our source code using AWS services and GIT. Backups are
performed once in a day. Access to AWS is limited and protected by MFA.
When scheduling a scan, which type of scan should we schedule (DAST or SAST)?
It depends on the app type & preferences. If it’s a web application, then you can run the DAST scan just by providing URL & authentication details (username & password) and if it’s a different application then you can choose the SAST scan & upload the source code of entire application in the zip file format while submitting the scan.
What do you mean by unlimited reverification in Enterprise Tier 2 plan?
We are pleased to inform you that with our Enterprise Tier 2 Plan, you have the flexibility to conduct assessments throughout the entire year. Should you wish to incorporate new features and receive a recommendation from Google to reassess your system, you will not incur any additional charges. Our plan allows for CASA reassessment at no extra cost, ensuring that you can make changes and adapt as needed without financial concern ( validity 10 months).
If we both have a webapp and an API that powers that web app, do we submit separate scans for each or simple and “App” scan for both?
You can combine the source code of the application and you can do one combine scan by uploading the source code of the entire application in the zip file format.
What is the expected approval rate for our app submission to Google after the assessment is completed?
100% if the process is completed according to guidance.
Do we need to supply our Incident Response Policy, Privacy Policy, Information Security Policy, and Vulnerability Disclosure Policy? If so, How?
No, you don’t need to supply these details.
