The App Defense Alliance added Fluid Attacks’ CLI application
as an approved tool for application security testing (AST).
The Alliance is a partnership between Google et al.
formed to ensure that Android applications are secure for users.
Our open-source offering
is free to use for static scanning
and has been officially accepted to validate tier 2 requirements
of the Alliance’s Cloud Application Security Assessment (CASA) framework.

The purpose of the App Defense Alliance

The App Defense Alliance (ADA) emerged in 2019.
Its members are Google,
ESET, Lookout, Zimperium and,
more recently,
McAfee and Trend Micro.
This partnership is committed to ensuring applications available in Google Play
are not ridden with vulnerabilities.

To fulfill its purpose,
the ADA requires developers to verify
that their applications comply
with industry standards for application security.
In the case of mobile apps,
the ADA launched Mobile Application Security Assessment
(MASA).
While for cloud applications,
it established Cloud Application Security Assessment
(CASA).

The MASA framework validates that apps have the security controls
defined in the OWASP Mobile Application Security Verification Standard
(MASVS).
(By the way,
we’ve listed elsewhere the top risks to mobile apps
and defined the role of mobile application security testing (MAST),
which,
if you leverage with us,
can check your compliance with MASVS and beyond.)

We are, however,
focusing on the CASA framework in this post.
So let us explain it a bit more deeply.

Cloud Application Security Assessment (CASA)

The ADA created CASA as an initiative for Android apps
to comply with the controls
proposed by the OWASP Application Security Verification Standard
(ASVS).
Its main purpose with this project is
to enable secure cloud-to-cloud integrations
and boost their extensibility and inclusiveness.

Now,
applications differ in things like the sensitivity of the data they access,
the amount of users per type of data accessed
and their creating company’s risk tolerance level.
For that reason,
the framework is adapted to have a risk-based,
multi-tier approach.
To put it plainly,
the tiers (1, 2 and 3) communicate
how strictly security requirements should be followed.

Framework users,
such as Google,
ask developers to verify their compliance with CASA standards.
It’s the former,
not devs,
who determine the tier.
Sure,
devs can decide
to initiate the assessment without having been contacted,
but in this modality only passing the tier 3 assessment
would get them a valid CASA verification.
This tier requires devs to choose an authorized assessor,
who would then test the security of the application for a cost.

Teams needing tiers 1
and 2 assessments can use CASA-recommended scanning tools
to check their applications for common vulnerabilities.
And here’s where we’ve got news!

We are listed under the static scanning procedures.
You can use our CASA-approved,
open-source CLI application without cost
to perform static application security testing
(SAST).

Our CLI app can be leveraged for vulnerability scanning

Fluid Attacks’ Machine is our CLI application
that devs can configure
to run source code analysis
and assess web applications and other attack surfaces.
It performs vulnerability scanning
and reports the names of identified vulnerabilities
(according to Fluid Attacks’ own standardized set)
along with their CWE IDs and location in your source code.
To learn how to configure
and use our CLI tool as a vulnerability scanner,
follow our guide.

If a CASA Framework User requests you pass the tier 2 assurance level,
be sure to follow the process
described by the ADA.
Use Machine to scan your application
as the Alliance shows in its website.

You’ll be requested to revalidate your application once every year.
Remember,
though,
that it’s not like during that time security is not a concern.
You should think about it always,
with every change to your application.
By conducting security testing all the time,
you can be aware of and fix common vulnerabilities.
We can help you with this.

Secure your applications with Fluid Attacks

We offer Continuous Hacking,
which involves performing AST throughout your software development lifecycle
(SDLC).
We configure Machine
to detect your application’s vulnerabilities with accuracy.
You can see every finding and several details,
including recommendations for fixing the security issues,
on our Attack Resistance Management (ARM) platform.
There you can also contact us for support via live chat.

Among the benefits of Continuous Hacking are

• securing every deployment without delaying your time-to-market;
• ensuring compliance with several international
  standards (e.g.,
  PCI DSS, GDPR, CCPA),
  and
• enabling your cloud DevSecOps
  implementation.

You can choose between two paid plans:
Machine and Squad.
Machine Plan offers continuous
static application security testing (SAST),
dynamic application security testing (DAST)
and software composition analysis (SCA)
with our tool only.
Squad Plan adds AI prioritization
and continuous manual penetration testing.
Our ethical hackers find the vulnerabilities
that represent the most risk to applications.
That’s why we recommend you go beyond automation
and favor security testing done through the eyes of attackers.

If you’d like a taste of our solution,
start your 21-day free trial
of Machine Plan
and upgrade to Squad Plan whenever you want.

*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Jason Chavarría. Read the original post at: https://fluidattacks.com/blog/casa-approved-static-scanning/