Can you explain the detailed steps or suggest a video for a Tier 2 security assessment on Cloud Application Security Assessment (CASA)?
I am having a Google sheets (editor) add-on. Recently they have asked to reverify my app, because it was using a restricted scope (drive). Now I have updated the code and somehow I have manged to remove all restricted scopes from code. Then also they have asked to go for a Tier 2 security assessment for my application. Their email:
Hello Google Developer,
Thank you for your patience while we reviewed your submission for project my-project-name We need you to address the following items for us to continue your app’s verification:
You are required to complete a Tier 2 security assessment for your application by the following date: 2024-01-15. This assessment is required annually; to learn more, please visit the CASA website.
You have the following options to complete your assessment:
1 - Tier 2 Self Scan Using Open Source Tool
- Follow the CASA Tier 2 procedures to self scan your application
- Fix any high severity CWEs flagged by your scan
- Register or log-in to the CASA portal and initiate your security assessment
- Submit your scan results and fill out the CASA questionnaire on the portal
- Receive the results and validation report in the CASA portal
- The CASA portal will automatically share the Letter of Validation with Google
2 - Tier 2 Self Scan Using Commercial Tools
- Follow the CASA Tier 2 procedures to self scan your application using commercial pre-approved tools
- Fix any high severity CWEs flagged by your scan
- Register or log-in to the CASA portal and initiate your security assessment
- Submit your scan results and fill out the CASA questionnaire on the portal
- Receive the results and validation report in the CASA portal
- The CASA portal will automatically share the Letter of Validation with Google.
You can use any CWE-compatible app scanning tool(s) that meet the CASA scan requirements.
3 - Tier 2 Authorized Lab Scan Alternatively, we worked with the CASA authorized labs to provide a low cost Tier 2 alternative for developers who want to work with a lab to conduct the assessment. Contact any CASA authorized lab to conduct your Assessment.
NOTE: If you opt to complete a Tier 2 assessment with a CASA authorized lab, you are not required to initiate an assessment on the CASA portal and fill out the questionnaire.
Useful resources Refer to the following documentation for more information:
- Gmail API Policies
- OAuth API Verification FAQ
- CASA Website
- CASA Tiering
- Tier 2 Process
- Other Tiers Process
Important! Once you have addressed the issues above, reply directly to this email to confirm. You must reply to this email after fixing the highlighted issues to continue with the app verification process.
Need to make changes to your verification request?
Please make direct changes on the Cloud Console. Save and submit the changes when finished.
No longer need access to these scopes?
Please reply to this email to cancel the verification request.
Need other help?
For more information on OAuth Verification, you can read the terms or policies for the APIs or products your app uses, as well as the following resources:
Link to OAuth Verification FAQ
Thank you,
The Third Party Data Safety Team
I have tried to understand things, but I am not able understand all technical terms.
Question 1: I don't know whether I should go for FluidAttacks Free and Open Source CLI or other.
Question 2: In my case, which of the options in above image should be chosen ?
Edit: I emailed them the following.
Their reply: 
So I don't need to go for Casa verification for this app. But these questions should be answered. These will be useful to others and to me too for my other projects.
References:
- Google app script publish require CASA verification after initial OAuth verification. Is there any way to avoid it?
- I have verified the google-api Oauth2 but in the next step the sent an email. tier 2 Cloud Application Security Assessment (CASA) google API. This is relavent to my question, but it doesn't give the answer to my question.
- Select Your Application Scan Type
For your first question I'd select FluidAttacks as my scan tool. Based on my interpretation of CASA's definitions, Google Add-ons fall under the Serverless banner (even more so than Web Apps) since a lot of the underlying infrastructure that drives them is provided by Google as its a cloud-based technology. So for your second question, and by process of elimination, your scan type would be "Static Scanning Procedures" - it supports serverless and its a non-custom CASA recommended option.
- JavaScript function in Google spreadsheets to send QR codes to emails
- Get eventID for Google Calendar Event
- Writing a googlefinance wrapper
- Getting a macro to run using checkbox in google sheets
- Error 500 on POST https://script.googleapis.com/v1/scripts/{scriptId}:run
- Issue in Auto close Modal Dialog - Google App-Script
- Remove duplicates based on one column and keep latest entry in Google sheets (while ignoring blank entries in that column)
- VAT Checker Apps Script
- Trigger python code from Google spreadsheets?
- Same code behaving differently inside and outside function
- Variable isn't being properly referenced across functions
- How to map object values according to the column headers on a Spreadsheet?
- Deploy to Update version of Gmail App Script Extension
- How many time based trigger can your add-on run on a document / user?
- Google Sheets Import CSV popup
- Fastest way to search for a row in a large Google Sheet using/in Google Apps Script
- Google Apps Script showing previous day
- How to use the function .getLastRow() in google script
- Updating appscript dropdown in sidebar after a successful operation
- Getting Range not found when using getRange()
- Creating 'dynamic' pages in web apps
- Navigate to other pages
- How to generate an uuid in google sheet?
- Data is not being updated to Google Sheets from the Flutter app
- Improve performance of onEdit simple trigger
- Google Apps Script attempting to utilize OAuthScopes is giving an error with no details and prevents saving
- Why can't I format my dates after they are returned from this function?
- Printing to the console in Google Apps Script?
- Can I use Google Apps Script instead of Formulas for doing calculations on a spreadsheet?
- Error when trying to use addRange in Embedded Line Chart Builder