Back to CASA

Intro

Cloud Application
Security Assessment

  • Consists of 15 questions
  • Takes 15 minutes to complete
  • For each control, please select an answer that fits best
  • Assessment results in 24-48 hours
  • If you have any questions, contact us via email [email protected]

CASA Overview

To meet CASA requirements for self-assessment, the following controls must be implemented and deployed within your platform. For implementation requirements and details of each item please visit App Defense Alliance's Github page

v2 Authentication Verification Requirements
  • Application meets Password Security Requirements
  • Application meets the General Authenticator Requirements
  • Application meets the Credential Recovery Requirements
v3 Session Management Verification Requirements
  • Application meets the Fundamental Session Management Fundamental Session Management requirements
  • Application meets the Session Binding requirements
  • Application meets the Session Logout and Timeout requirements
  • Application meets the Cookie-based Session Management requirements
  • Application meets the Token-based Session Management requirements
v4 Access Control Verification Requirements
  • Application meets the 'General Access Control Design' requirements
  • Application meets the 'Operation Level Access Control' requirements
v6 Stored Cryptography Verification Requirements
  • Application meets the Stored Cryptography Verification Requirements as described in OWASP ASVS 4.0
v8 Data Protection Verification Requirements
  • Application meets the Sensitive Private Data requirements
v9 Communications Verification Requirements
  • Application meets the Client Communications Security requirements
  • Application meets the Server Communications Security requirements
v12 File and Resources Verification Requirements
  • Application meets the File Download requirements
  • Application meets the SSRF Protection requirements
v13 API and Web Service Verification Requirements
  • Application meets the Generic Web Service Security Verification requirements
  • Application meets the RESTful Web Service Verification requirements
v14 Configuration Verification Requirements
  • Application meets the HTTP Security Headers requirements
  • Application meets the Validate HTTP Request Header requirements

Information

This questionnaire will be based on the OWASP ASVS standard. You can read more about the standard at OWASP ASVS

V2 Authentication Verification Requirements

The following is a summary of the requirements in this control. For details, visit the App Defense Alliance's Github page, which provides the exact requirements for this control.

  • Verify the digital identity of the sender of a communication.
  • Ensures that only those authorized are able to authenticate and credentials are transported in a secure manner.

Please confirm that your application meets the V2 Architecture, Design and Threat Modeling Requirements as described in OWASP ASVS 4.0

2.1.1 Verify that user set passwords are at least 12 characters in length (after multiple spaces are combined). (C6)

2.1.5 Verify users can change their password.

2.1.6 Verify that password change functionality requires the user's current and new password.

2.2.1 Verify that anti-automation controls are effective at mitigating breached credential testing, brute force, and account lockout attacks. Such controls include blocking the most common breached passwords, soft lockouts, rate limiting, CAPTCHA, ever increasing delays between attempts, IP address restrictions, or risk-based restrictions such as location, first login on a device, recent attempts to unlock the account, or similar. Verify that no more than 100 failed attempts per hour is possible on a single account.

2.5.2 Verify password hints or knowledge-based authentication (so-called "secret questions") are not present.

2.5.3 Verify password credential recovery does not reveal the current password in any way. (C6)

V3 Session Management Verification Requirements

The following is a summary of the requirements in this control. For details, visit the App Defense Alliance's Github page, which provides the exact requirements for this control.

  • Sessions are unique to each individual and cannot be guessed or shared
  • Sessions are invalidated when no longer required and timed out during periods of inactivity
  • Stateless session management

Please confirm that your application meets the V3 Session Management Verification Requirements as described in OWASP ASVS 4.0

3.1.1 Verify the application never reveals session tokens in URL parameters.

3.2.1 Verify the application generates a new session token on user authentication. (C6)

3.3.1 Verify that logout and expiration invalidate the session token, such that the back button or a downstream relying party does not resume an authenticated session, including across relying parties. (C6)

3.4.1 Verify that cookie-based session tokens have the 'Secure' attribute set. (C6)

3.4.2 Verify that cookie-based session tokens have the 'HttpOnly' attribute set. (C6)

3.5.2 Verify the application uses session tokens rather than static API secrets and keys, except with legacy implementations.

V4 Access Control Verification Requirements

The following is a summary of the requirements in this control. For details, visit the App Defense Alliance's Github page, which provides the exact requirements for this control.

  • Sessions are unique to each individual and cannot be guessed or shared
  • Sessions are invalidated when no longer required and timed out during periods of inactivity
  • Stateless session management

Please confirm that your application meets the V3 Session Management Verification Requirements as described in OWASP ASVS 4.0

4.1.5 Verify that access controls fail securely including when an exception occurs. (C10)

4.2.2 Verify that the application or framework enforces a strong anti-CSRF mechanism to protect authenticated functionality, and effective anti-automation or anti-CSRF protects unauthenticated functionality.

V6 Stored Cryptography Verification Requirements

The following is a summary of the requirements in this control. For details, visit the App Defense Alliance's Github page, which provides the exact requirements for this control.

  • Data classification
  • Strong cryptographic architectures and algorithms are in use
  • Suitable random number generator is used when randomness is required
  • That access to keys is managed in a secure way with secrets management

Please confirm that your application meets the V6 Stored Cryptography Verification Requirements as described in OWASP ASVS 4.0

6.1.1 Verify that regulated private data is stored encrypted while at rest, such as Personally Identifiable Information (PII), sensitive personal information, or data assessed likely to be subject to EU's GDPR.

6.1.2 Verify that regulated health data is stored encrypted while at rest, such as medical records, medical device details, or de-anonymized research records.

6.1.3 Verify that regulated financial data is stored encrypted while at rest, such as financial accounts, defaults or credit history, tax records, pay history, beneficiaries, or de-anonymized market or research records.

6.2.2 Verify that industry proven or government approved cryptographic algorithms, modes, and libraries are used, instead of custom coded cryptography.

V8 Data Protection Verification Requirements

The following is a summary of the requirements in this control. For details, visit the App Defense Alliance's Github page, which provides the exact requirements for this control.

  • Confidentiality: Data should be protected from unauthorised observation or disclosure both in transit and when stored
  • Integrity: Data should be protected being maliciously created, altered or deleted by unauthorized attackers
  • Availability: Data should be available to authorized users as required

Please confirm that your application meets the V8 Data Protection Verification Requirements as described in OWASP ASVS 4.0

8.3.2 Verify that users have a method to remove or export their data on demand.

V9 Communications Verification Requirements

The following is a summary of the requirements in this control. For details, visit the App Defense Alliance's Github page, which provides the exact requirements for this control.

  • TLS or strong encryption is always used, regardless of the sensitivity of the data being transmitted
  • The most recent, leading configuration advice is used to enable and order preferred algorithms and ciphers
  • Weak or soon to be deprecated algorithms and ciphers are ordered as a last resort
  • Deprecated or known insecure algorithms and ciphers are disabled

Please confirm that your application meets the V9 Data Protection Verification Requirements as described in OWASP ASVS 4.0

9.1.2 Verify using up to date TLS testing tools that only strong cipher suites are enabled, with the strongest cipher suites set as preferred.

9.1.3 Verify that only the latest recommended versions of the TLS protocol are enabled, such as TLS 1.2 and TLS 1.3. The latest version of the TLS protocol should be the preferred option.

V13 API and Web Service Verification Requirements

The following is a summary of the requirements in this control. For details, visit the App Defense Alliance's Github page, which provides the exact requirements for this control.

Ensure that a verified application that uses RESTful or SOAP based web services has:

  • Adequate authentication, session management, and authorization of all web services
  • Input validation of all parameters that transit from a lower to higher trust level
  • JSON and XML handling

Please confirm that your application meets the V13 Data Protection Verification Requirements as described in OWASP ASVS 4.0

13.1.5 Verify that requests containing unexpected or missing content types are rejected with appropriate headers (HTTP response status 406 Unacceptable or 415 Unsupported Media Type).

13.2.5 Verify that REST services explicitly check the incoming Content-Type to be the expected one, such as application/xml or application/json.

V14 Configuration Verification Requirements

The following is a summary of the requirements in this control. For details, visit the App Defense Alliance's Github page, which provides the exact requirements for this control.

  • Hardened third-party library, dependency and configuration management such that out-of-date or insecure components are not included by the application
  • A secure-by-default configuration, such that administrators and users have to weaken the default security posture
  • Configuration Review of Cloud Services (Compute, logical network design, logical storage, and configuration)

Please confirm that your application meets the V14 Data Protection Verification Requirements as described in OWASP ASVS 4.0

14.4.3 Verify that a Content Security Policy (CSP) response header is in place that helps mitigate impact for XSS attacks like HTML, DOM, JSON, and JavaScript injection vulnerabilities.

14.4.7 Verify that the content of a web application cannot be embedded in a third-party site by default and that embedding of the exact resources is only allowed where necessary by using suitable Content-Security-Policy: frame-ancestors and X-Frame-Options response headers.

14.5.3 Verify that the Cross-Origin Resource Sharing (CORS) Access-Control-Allow-Origin header uses a strict allow list of trusted domains and subdomains to match against and does not support the "null" origin.

Thank you for submitting your request. Please download the CASA Scoping Survey here and email it back to us at [email protected] at your earliest convenience, thank you!