Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›


Cloud Application Security Assessment (CASA)

Apply industry-recognized application security standards, certify your application, and go to market with confidence.

Bishop Fox utilizes the App Defense Alliance (ADA) Framework based on technical controls from the OWASP Application Security Verification Standard (ASVS) to test your applications and ensure the security of user data.

2022 Q3 CPT Pillar Additional Light 2

Getting Started

What Do I Need to Get Started?

You will need to have your assessment notification ready.  

This is typically an email notification from the App Defense Alliance Framework User (i.e., Google) indicating that you are required to complete a CASA assessment. This includes the tier of the assessment you are required to complete and the due date. 

As an authorized lab, Bishop Fox provides CASA Tier 3 assessments only.

Google CASA Assessment Tiers

To get your CASA Tier 3 assessment started, please fill out this form.

By submitting this form, you indicate that you have read and agree to the terms of our Privacy Policy


Understand the Path to App Defense Alliance CASA Certification

Google CASA path to certification visualize in a timeline.

Conducting Testing with Bishop Fox

1. Request your assessment.

Complete and submit the form above including your project number and due date to access the Bishop Fox CASA scoping survey. This short, one-page survey will help us expedite the process and kick off the testing project in an efficient manner.

2. Submit your Bishop Fox CASA scoping survey.

As soon as your scoping survey is completed, you can email it to [email protected]. After that, we will be in touch to schedule a meeting and review it with you.

3. Kick off your project.

Once your submission has been reviewed, we’ll prepare a statement of work. When that is signed, the project begins.

Alternatively, if you’ve worked with us before and you’re looking to perform your annual CASA test revalidation, visit our page for returning customers here.


    Why Should I Work With Bishop Fox?

    Icon Service Google Cloud Application Security Assessment logo - CASA

    Authorized and Experienced Testing

    With 700+ partner security assessments, we’re one of the most experienced authorized App Defense Alliance testing service providers on the market.

    Icon Benefits Desk

    Application Security Experts

    Partner with the brightest minds in application security to test for vulnerabilities that attackers can exploit, while approving your application for App Defense Alliance Framework Users.

    Icon Top Tech Dark BG

    Actionable Reporting

    We deliver reporting on the engagement process, findings, and remediation recommendations aligned to OWASP ASVS.

    NPS Icon

    World-Class Customer Experience

    We have a "world-class" NPS score of 87+ on our Google Partner Security Assessments. Rest assured; you’ll have a positive experience working with us.

    Icon Globe Dark BG

    Trusted by Industry Leaders

    26 of the Fortune 100 and 8 of the top 10 global tech companies trust us with their offensive security needs.

    Icon Projects Dark BG B

    Augment with Additional Testing Options like MASA

    Require a mobile app penetration test in addition to a CASA assessment? Our resources means you can easily expand the scope of your project with us and create efficiencies.

    Four business people sitting at a table working on code assisted penetration testing.

    We partnered with Google to design their third-party security program.

    When Google needed to ensure that their user data was being handled securely, they partnered with Bishop Fox to design a security assessment program that could validate the security posture of their partners and third-party apps. Now, with the advent of the App Defense Alliance, we’re ready to build on this foundation to deliver world-class testing services that ensures application safety of Google’s app ecosystem.


    You have questions. We have answers.

    When will the assessment start?

    Partners need to provide full project enablement (PE) items (e.g., test accounts, completed SAQ, etc.) before receiving a start date. This is to ensure that there are no delays to the project schedule.

    How long will the assessment take?

    Once all the paperwork is in place, fieldwork can typically take one to two weeks. After that, reporting and QA take up to one week for report delivery. This does not include remediation time if vulnerabilities are identified that require your fixes and Bishop Fox’s re-testing.

    What will the scope of the testing be?

    The focus of the penetration testing is the application that the framework user (e.g., Google) has indicated requires an assessment.

    What will the scoping information be used for?

    Information shared with us for scoping will be used to determine overall effort required for testing. The more accurate the scoping details are, the more accurate and cost-sensitive we can be with the scope and quote.

    How will my sensitive data be handled?

    All sensitive data will be stored, processed, and transmitted securely. Your Bishop Fox engagement manager can help set up a secure file share to use throughout the project.

    We are rebuilding the application now and/or migrating it to a new infrastructure. Should we do the test now or later?

    If it's possible to hold off (considering any deadlines given by the Framework User requiring the assessment, e.g., Google), it would be best to have the most up-to-date version of your application. This is to ensure we get appropriate coverage on any additional functionality or application changes that could affect testing.

    We are interested in a standard Letter of Assessment in addition to the CASA Letter of Validation (LOV). Does this change the scope/cost?

    Yes. We will need to review the scope and determine if additional testing is required to meet our standards for a general Letter of Assessment in addition to the CASA LOV. If you have a particular compliance requirement, please describe it and the framework, so we can consider it appropriately in scoping.

    Still have questions?

    Chat with one of our CASA security experts to learn how we can support your security needs.

    This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.