Casa verification

[Darren D'Mello]

Hi Developers

I received a message stated below. Does this mean Casa self scan free assessment is no longer available?

Should everyone pay for the assessment? Does any one have an estimate of how much it would incur for a resticted drive scope? 

Hello Google Developer,

Thank you for your patience. Please be advised that we recently updated the ways in which developers going through the OAuth verification process can obtain a CASA security assessment. All apps using restricted Google APIs are now only provided with the security assessment options below. This means that Tier 2 self scan is no longer an option. While this mean that you will incur a small cost, paid to an independent assessor, we’ve worked hard to make sure this doesn’t pose an undue burden. 

[Romain Vialard]

I was not aware that free assessment was no longer available.

Google says they have negotiated a discounted rate for Tier 2 CASA assessments with TAC Security.

Prices are public:

https://casa.tacsecurity.com/site/home

$540 for Tier 2 (per year)

[Darren D'Mello]

Thanks, Romain. However, I believe the tier is determined by the rate score derived from various factors such as scopes. My authorization and drive access have the most restricted scope.

https://appdefensealliance.dev/casa/casa-tiering#:~:text=lowest%20required%20level.-,Tiers%20Calculation,-The%20framework%20users

Do you think this could have resulted in a score that bypassed Tier 2 self-scanning?

And could this be why the OAuth team responded, "This indicates that Tier 2 self-scanning is no longer an option"

--
You received this message because you are subscribed to the Google Groups "Google Apps Script Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-script-c...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/08a55cba-6e6f-4667-9fd6-3eac67034d63n%40googlegroups.com.

--

Best,

Darren

[Romain Vialard]

My guess is that self-scanning was costing money for Google.

The portal was managed by PWC, you had to respond to several security questions via a form, someone from PWC was checking the responses and asking for additional information => Google was paying for all that.

See here for the full process:

https://medium.com/@kelig.lefeuvre/step-by-step-guide-how-to-successfully-complete-casa-tier-2-security-assessment-for-google-apps-e58ded052286

Maybe they decided to stop that and instead ask people to contact an assessor and pay for the assessment.

For all restricted scopes, Tier 2 is mandatory.

Tier 3 is usually not mandatory but you get a shiny badge on the marketplace :)

[Darren D'Mello]

That's so weird. The cost per year 500+ for a review is frustrating.

Better to have it unverified.

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/abcb9d0f-ddc4-4ffc-93b5-55735646d7acn%40googlegroups.com.

[Darren D'Mello]

I see this message now in the PWC portal.

Welcome, Darren D'Mello
As per guidance from the Google CASA team, we have ceased accepting new CASA requests.

We will continue to review and complete existing CASA assessments as quickly as possible.

If you have any inquiries regarding new application CASA assessments, please contact the Google CASA team. An email with the latest CASA lab options and assessment instructions was sent to the developer contact(s) associated with your project.

--

Best,

Darren