CASA (Cloud Application Security Assessment) is Google’s security review program for third-party apps that access Google user data through OAuth. If your app requests sensitive or restricted scopes — Gmail write, Calendar, Contacts, etc. — Google requires a CASA assessment before approving your OAuth consent screen.
The tier system
CASA has three tiers. Google assigns a tier based on the scopes your app requests and the number of users.
| Tier | Trigger | What’s required | Cost | Timeline |
|---|---|---|---|---|
| Tier 1 | Low-risk scopes (email, profile) | Self-assessment questionnaire | Free | Days |
| Tier 2 | Sensitive scopes (Gmail, Calendar, Drive read) | Automated scanning + lab verification by an authorized assessor | ~$550+ | 2–6 weeks |
| Tier 3 | Restricted scopes (Gmail full access, Drive write) | Full penetration test by an authorized lab | $5,000–$15,000+ | 4–12 weeks |
Most OAuth apps requesting sensitive scopes land in Tier 2.
What Tier 2 requires
A Tier 2 assessment has two parts:
-
Automated scanning — the assessor runs OWASP ZAP-style tools against your app, checking security headers, TLS configuration, input validation, error handling, CORS, and HTTP method enforcement.
-
Manual verification — the assessor reviews the scan results, checks OAuth flow implementation, and verifies that the app handles tokens, redirects, and error states securely.
The assessment is performed by a Google-authorized lab (like TAC Security, Leviathan Security, Bishop Fox, or others on Google’s approved list). You can’t self-assess at Tier 2.
What the assessor actually tests
The Tier 2 assessment maps to OWASP ASVS (Application Security Verification Standard) Level 2 controls. In practice, the assessor checks:
- Security headers — HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, server version disclosure
- TLS — TLS 1.2+ enforced, valid certificate, HSTS, no mixed content
- HTTP methods — TRACE/TRACK blocked, unsupported methods return 405
- Error handling — no stack traces, no internal paths, no database errors, generic auth failures
- Input validation — SQL injection, XSS, path traversal, request size limits
- CORS — no wildcard with credentials, evil origins rejected
- OAuth flows — state parameter validation, code replay prevention, redirect URI enforcement, PKCE, token handling
- Rate limiting — 429 enforcement on sensitive endpoints
How vet maps to the assessment
Vet automates the first part: the automated scanning. It runs the same probes an assessor’s tools would run and produces a report mapped to ASVS control IDs.
| Assessment area | Vet coverage | Notes |
|---|---|---|
| Security headers (V9.1.x) | Full | 8 checks per endpoint |
| HTTP method enforcement (V9.2.x) | Full | 4 checks per endpoint |
| Error disclosure (V7.4.x) | Full | 6 checks per endpoint |
| TLS/SSL (V9.3.x) | Full | 7 checks including legacy TLS rejection |
| CORS (V9.4.x) | Full | 5 checks per endpoint |
| Input validation (V5.x) | Full | 8 checks per endpoint (SQLi, XSS, path traversal, etc.) |
| OAuth authentication (V2.x) | Planned | Requires --client-id and --client-secret |
| Rate limiting (V13.x) | Planned | Requires auth credentials |
| Webhook security (V10.x) | Planned | Requires webhook configuration |
| Data protection (V8.x) | Planned | Token exposure checks |
What vet covers vs. what needs a human
Vet handles the mechanical, automatable checks. Some things still need a human assessor:
Vet handles:
- Header presence and correctness
- TLS version and certificate validation
- Error response content analysis
- Injection payload testing
- CORS policy verification
- HTTP method enforcement
Still needs a human:
- Business logic review (“does this permission model make sense?”)
- OAuth implementation nuance (custom flows, edge cases the tool can’t model)
- Manual exploitation of findings (“is this reflected XSS actually exploitable?”)
- Review of data storage and retention policies
- Code review for hardcoded secrets or insecure cryptography
- Verification that findings are truly fixed (not just masked)
The workflow
The intended workflow for CASA Tier 2:
- Run vet against your app. Fix everything it flags.
- Re-run vet to confirm all checks pass.
- Submit for assessment with a Google-authorized lab.
- The assessor’s job is now verification, not discovery. They confirm your app passes the same checks vet already ran, plus manual review items.
This dramatically reduces assessment time and back-and-forth. Instead of the assessor finding 20 issues and sending them back to you, they find 0–2 issues because you already caught them.
Cost and time savings
Without vet: The assessor finds problems → sends you a report → you fix → they re-test → repeat. Typical cycle: 3–6 weeks, multiple rounds.
With vet: You fix everything upfront → assessor verifies → done. Typical cycle: 1–2 weeks, one round.
The assessment fee ($550+) stays the same either way. Vet saves you time, not money on the assessment itself.