CASA Assessment

[Darren D'Mello]

Hello,

I have an editor form add-on that uses the following scopes

auth/forms
auth/script.container.ui
auth/script.external_request
auth/script.scriptapp
auth/script.send_mail
auth/drive.metadata.readonly
auth/drive.file
auth/spreadsheets
auth/userinfo.email

For final approval, I am required to complete a Tier 2 verified self security assessment and be issued a Letter of Validation for your application.

I would like to use: 1 - Tier 2 Self Scan Using Open Source Tools

instead using the below
2 - Tier 2 Self Scan Using Commercial Tools
3 - Tier 2 Authorized Lab Scan

Since 1) is free to use.

----

I have some questions, Application in scope for Tier 2 assessment
Mine is an editor form add-on, which should I choose?

Web Application
Mobile
API
Browser Extension
Local Application
Serverless Application

I am not sure I understand this, there is no example or video that explains the process.
https://appdefensealliance.dev/casa/tier-2/ast-guide

Any help is greatly appreciated.

[DimuDesigns]

Its basically a process of elimination:
- Add-ons are not supported on Mobile so you can exclude that one

- Its not a Chrome Extension so that excludes Browser Extensions

- Add-ons live in the cloud so it can't be a local application

- Add-ons in of themselves are not APIs (though some devs might deploy a GAS Web App behind the scenes that may serve in that role to compliment an Add-on)

- Serverless is kinda tricky since Add-ons now support alternative runtimes which allows you to use serverless features like Cloud Functions. But since your add-on is built using GAS you can eliminate that option.

All that's left is Web Application.

[Darren D'Mello]

Thank you so much for your help Dimu Designs. I value your time and effort.

I am so dumb and completely new to me.

I am not wondering what should be my procedure?

Static Scanning Procedures

Dynamic Scanning Procedures

There is no hard example to know how a apps script addon should be tested. Do you have any example that mentions the testing process for the editor add-ons ?

Thanks in advance.

--
You received this message because you are subscribed to the Google Groups "Google Apps Script Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-script-c...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/93bf6159-e2db-4ba4-ae7c-9e2a133e8b9en%40googlegroups.com.

[Kevin Vaghasiya]

you have to test in Dynamic Scanning Procedures.

I had received CASA verification recently, I removed restricted scope after researching on CASA verification.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/CAHeo4XgbXGnBmfUzJzGyzr2fnR%2Bu2_pJqzN95rUV7th9RSuaFA%40mail.gmail.com.

[Darren D'Mello]

Thanks Kevin,

Do you have any idea about how to scan via Dynamic Procedures.

I have installed the OWASP® Zed Attack Proxy but this automated software asks me the url of the web app. How can an addon have a url?

But my add-on is an editor addon and runs inside a form as a add-on sidebar. There is no example how to scan a addon that's designed using apps script. This is totally frustrating.

Do you have any suggestions?

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/CAEmZ%2B26z46vfD%2B8XfmCQZeoS4uf1vY-M6rY7f3qrB3VQ5LSUUw%40mail.gmail.com.

[Kevin Vaghasiya]

Are you making requests to any third parties from addon? if yes you have to enter that urls.

If not you can try to add the url of the google apis that you are using in the script. (not sure if it's correct solution).

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/CAHeo4XgRDJag3NZ-Ubr0J1GYwksSsstkyMu-1J4z8AxqRcRgmg%40mail.gmail.com.

[Darren D'Mello]

Anyone can suggest something in this regard. There is no documention on how a add-on needs to be tested. Nor an email support.

It's a shame, if any support stuff is asked, the would end up sending the https://appdefensealliance.dev/casa/tier-2/ast-guide which is a total abstract.

Did anyone in this community had undergone any verifications for an editor addon?

Thanks to Kevin for replying, you mentioned it's external URL. But, I don't think this will not work. The tests are carried out against the addon and not the third party, So I think this should be ruled out.

Any insights would be appreciated.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/CAEmZ%2B27SqXn%3DGANJEAR6oUVkX0R6J8rJiGK9exhp5pYdO-ZPNw%40mail.gmail.com.

[Darren D'Mello]

This appears to be a local application as replied by the OAuth review team. So it's not an external URL?

Does anyone know how an editor addon CASA process is done? This community has great personalities of time and I really wonder you have not come across such a situation?

Is it something that's new? It's so frustrating and I really don't understand whom to approach.

Thank you for your patience while we reviewed your application.

Your application falls under local applications. Please use the portal messaging feature for support.

Thank you for your patience. If you have any questions, please reply directly to this email.

[Darren D'Mello]

Hopefully, watch for this email in your inbox

https://prnt.sc/ZyKUVi5Qy5jk

It's time to get your Drive Apps CASA verified.

--

Best,

Darren

[Kevin Vaghasiya]

Hi Darren,

How did it go? did your app got approved?

[Darren D'Mello]

Its not done Kevin,

Feeling quite sad, no responses to my post, a lonely moment.

There are no online resources that may help.

The world is only helpful to big shots and small fishes like me are prey.

--

You received this message because you are subscribed to the Google Groups "Google Apps Script Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-script-c...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/62671cbf-bdc6-4496-8364-dff9cf25b889n%40googlegroups.com.

--

Best,

Darren

[Kevin Vaghasiya]

Sorry to hear that,

what you are going to do about it?

[Romain Vialard]

Sorry Darren.

On my side, I only passed Tier 3, not Tier 2, and I paid an external assessor to do everything. No real experience to share here.

But I know other GDEs have done Tier 2.

And I believe it should be better documented.

I'll try to escalate.

[Darren D'Mello]

Thank you Romain. I appreciate your concern and prompt response.

Any feedback using Tier 2 is greatly appreciated.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/31ce6a8f-890f-4363-a969-79ad24927a3bn%40googlegroups.com.

[Darren D'Mello]

Hi Romain and other GDEs,

Any luck on this? Perhaps it's really hard I guess.

Any pointers are a worth of gems.

Thanks in advance.

[Artem Tereshkov]

Hi Darren! 

I want to pass the test using this method "Tier 2 Self Scan Using Open Source Tools" for my IOS app.

Can you tell me if this test is also paid?

[Darren D'Mello]

I have no idea Artem. For this very reason, I sought the help of community here.

I am hoping someone could help us. Else it's a disaster.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/c664bd96-c6e3-4371-a6f6-dc7355000c08n%40googlegroups.com.

[Eunice Tan]

I am currently undergoing a Tier 2 assessment for my application (but mine is classified a Web Application so not sure if it is exactly the same). We basically got an email with a link to a Cloud Application Security Assessment portal (https://rc.products.pwc.com/login/casa) where we created an account and started an assessment -- there you can select your application type. 

The https://appdefensealliance.dev/casa/tier-2/ast-guide docs are actually a little outdated. We followed that at first and used FluidAttack to test our app, which is one of the recommended open source tool for Tier 2. But later when going through the steps on the portal, we realized that the preferred method is to use Fortify (https://www.microfocus.com/en-us/cyberres/application-security) to test the app. In the assessment form itself, they provides information on how to package your app and submit it to Fortify for the scan. 

Hopefully that helps! We've been on quite a journey ourselves trying to figure this whole CASA assessment out.

My advice would be to just start an assessment in the portal, select your application type, and see what they ask of you (if they want you to use the Fortify tool or some other tool).

There is also a 'Messages' tab in the portal itself where you can get some support. They usually take around a day to reply me for each question.

[Darren D'Mello]

Thank you very much Eunice, let's wait for some more time so we get more information.

May I know whether you designed a google sheets/docs/slides extension ? or is it something else?

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/4b451fc7-4189-4e7d-9913-a30838538315n%40googlegroups.com.

--

Best,

Darren

[james cui]

Hey folks,

Please see this post for the flow to pass the CASA review. Hope this helps!

https://jamescui.substack.com/p/crack-googles-casa-review

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/CAHeo4XjcdFBwQ2m%2B-%2BPWoYWRSb06%2B-ezjPEVqQsMUiQipsZGhQ%40mail.gmail.com.

[Shahbaz Shueb]

Does anyone have any idea whether SOC 2 compliance reduce the timeline and cost for getting Casa Tier 3 assessment?

[Kelig Lefeuvre]

Hi,

I've just published a full guide on how to pass the Casa Tier 2 assessment for a Google Apps script projects

I hope this helps

[Darren D'Mello]

A ton of Thanks Kelig for your article. This should have been real documentation at Google Pages.

I am grateful to you for saving me lots of time.

The existing documentation in the website is totally crap and it looks insane to a common man like me. A security engineer may understand better.

You have added a full stop to this community CASA Assessment question which I raised.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/e2ea7513-3d8e-4996-b7c1-9f0dd340fb3an%40googlegroups.com.

--

Best,

Darren

[Darren D'Mello]

Can anyone help me how to add a user to a dockerfile?

I have added the Dockerfile

# syntax=docker/dockerfile:1
FROM nixos/nix:2.20.0pre20240102_3f834f5@sha256:99ea633bee79325758512e9f9f6a8573a42ba53fa6eed70af2d4f47547bd7dbe
WORKDIR /usr/scan
COPY . /usr/scan/
RUN mkdir results
RUN nix-env -if https://github.com/fluidattacks/makes/archive/23.04.tar.gz

I am running a ubuntu desktop v22, but I am unsure how to add No command found to create a group or user, make sure the container is running as non-root in Bulk Hyperlinks Find Replace/Dockerfile

title	cwe	description	cvss	finding	stream	kind	where	snippet	method
266. Excessive Privileges - Docker	CWE-250	No command found to create a group or user, make sure the container is running as non-root in Bulk Hyperlinks Find Replace/Dockerfile	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C	https://docs.fluidattacks.com/criteria/vulnerabilities/266	skims	SAST	0	1 | # syntax=docker/dockerfile:1 2 | FROM nixos/nix:2.20.0pre20240102_3f834f5@sha256:99ea633bee79325758512e9f9f6a8573a42ba53fa6eed70af2d4f47547bd7dbe 3 | WORKDIR /usr/scan 4 | COPY . /usr/scan/ 5 | RUN mkdir results 6 | RUN nix-env -if https://github.com/fluidattacks/makes/archive/23.04.tar.gz ^ Col 0	docker.container_without_user
Summary: 1 vulnerabilities were found in your targets.

--

Best,

Darren

[Kelig Lefeuvre]

Hi  Darren,

To avoid this vulnerability, you can add your Dockerfile to a .dockerignore file.

Your docker image will not be scanned.

The .dockerignore file I used for the guide is available here: https://github.com/keligggg/FluidAttack-Casa-Tier2/blob/main/.dockerignore  

Best,

Kelig

[Emilio de la Cuadra Menéndez]

Hello Darren, good morning.

I've been reading because I'm having the same problem with the intention of making Tier2 for my Google Spreadsheets addon. did you finally get the Tier2?

Keling : The PWC portal is not aviable, after login says this:
HOUSE Portal. Important Announcement: Application Assessment Project Closure. The application assessment project has been concluded. Thank you for your involvement.

Any help on this?

[Darren D'Mello]

Hi Emilio,

Please refer this thread Romain Vialard s reply.

https://groups.google.com/g/google-apps-script-community/c/XgsHT2Fr7u8/m/Ws3lk7gIAQAJ?utm_medium=email&utm_source=footer&pli=1

Regards,

Darren

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/cf430665-dff7-4d3a-8f04-b813f99d5750n%40googlegroups.com.

[Kelig Lefeuvre]

Hi Emilio,

Indeed, it seems that auditing by itself is no longer possible.
I'll update my article to make it clearer

Best,

Kelig