Gmail Addon - CASA Security Assessment
422 views
Skip to first unread message
Plugin Team
Jul 11, 2023, 8:29:14 AM7/11/23
to Google Apps Script Community
Hi,
We are using sensitive scopes of Gmail API in our apps script add-on. We are guided to run the CASA - security assessment on it using 2-Tier Self Scan Using Open Source Tools, Using Commercial Tools, or Tier 2 Authorized Lab Scan. We opted for 2-Tier Self Scan Using Open Source Tools.
For static scanner, we successfully ran the assessment and got SAST result in a file. But according to assessment steps, we have to run DAST as well to complete the process.
For DAST, we started with OWASP ZAP tool. According to documentation, we can't run this for Web, Mobile, Local, and API.
We want to know is Apps Script project lies under Serverless application? if yes, how can we run Dynamic Scanner process on this?
It would be really great if anyone can tell us exact steps for scanning of Apps Script Addon built for Gmail.
Hari Shankar Das
Jul 18, 2023, 8:34:47 AM7/18/23
to Google Apps Script Community
I am also having same question. Thanks for asking this. How are you planning to scan by the way ? Did you save all files from GAS to your computer as .gs and .html extension and then you scanned from there ?
Darren D'Mello
Jul 27, 2023, 12:12:57 AM7/27/23
to Google Apps Script Community
Any update on this?
Hywel Stayte
Sep 2, 2023, 4:19:42 PM9/2/23
to Google Apps Script Community
I am trying to do the same thing. There seems to be little help for this process.
I have been told "
Please choose a Serverless App type for Add-on. Please note that you may use the portal Messages feature for support."
If anyone figures this out they would be a lifesaver
Afaan Naqvi
Jan 2, 2024, 5:57:26 AM1/2/24
to Google Apps Script Community
I was able to scan my Sheets Editor Addon following the instructions provided in the PWC portal (https://rc.products.pwc.com/login/casa)
I downloaded and installed the Fortify_ScanCentral_Client and then run a command like:
cd Documents/<...path to my code files..> Documents/<..path to software..>/Fortify_ScanCentral_Client_22.2.1_x64/bin/scancentral package -bt none -o myPackage.zip
cd Documents/<...path to my code files..> Documents/<..path to software..>/Fortify_ScanCentral_Client_22.2.1_x64/bin/scancentral package -bt none -o myPackage.zip
I then uploaded the myPackage.zip to the portal, and got a failures report within a day.
I corrected my errors and reran the above command to re-zip, and then uploaded the new zip file to the portal again, which seemed to scan without failures because now I have been directed to a couple 15 page questionnaire full of questions that seem completely irrelevant to a Google Workspace Addon.
Hope that helps.
Afaan
Reply all
Reply to author
Forward
0 new messages