Publishing your Google App: CASA Tier 2 certification

This article is part 3 of a 3 part series on how to publish your Google App

Congratulations! ! Google has approved the initial process, now you need to do the CASA Tier 2 certification.

This process can take from 2 to 6 weeks depending on your app complexity and how fast PWC, the agency in charge of providing the CASA certification, replies.

Disclaimer: Because this process involves a bit of code, I will be demonstrating how we did it for https://getemil.io , which uses django and react.

There are 4 steps for the verification:

1. Selecting a scan tool
2. Scanning your app
3. Submitting the form
4. Feedback and resolving issues

Step 1: Identify which tool you need to use

There are tons of app types out there, select the app type that most closely resembles yours:

You have it? Good!

Now check which one of the two approved scanning procedures (which are easier to use) can be applied to your app type:

Our app is just an API, so I will be using the OWASP ZAP (nice pun) .

If your app allows for both, I recommend using OWASP as it’s just a matter of running a docker container on your computer.

What are these tools?

These are scanning tools that will try to hack their way into security loop wholes in your app, to check if it can be hacked. Essentially, they’re just hacking tools really that expose security flaws in your application.

That’s why it is really important you use this tools on an isolated environment.

Step 2: Scan your application

DO NOT USE THESE TOOLS ON YOUR PRODUCTION DEPLOYMENT! !

If you want to know why, read the paragraph above.

Here I will explain how I did it for our API application with the OWASP ZAP tool.

If you need a more detailed explanation just go here: https://appdefensealliance.dev/casa/tier-2/ast-guide/dynamic-scan

1. Set up config and context files

For us, having only an API was quite a blessing, the configuration file is already done for you and can be downloaded here .

If you have a full fledged web app, with frontend and backend, you will need to create your own config file and set up authentication if you have any, it’s a bit more complicated but all the details are explained here .

2. Deploy a parallel app

You can just scan your local environment but it will give a bunch of errors because you probably have no HTTPS configured locally for instance.

That’s why I decided to deploy in a subdomain: development.mydomail.com and set up everything as I had in production.

3. Set up Docker

I will be using Ubuntu for this task. You will need Docker installed, for instructions go here: https://docs.docker.com/engine/install/ubuntu/

4. Scan your app

Make sure you have docker installed in your system. I will be using Ubuntu in Windows (WSL) but the commands should be the same.

If you have an API like us:

docker run -p 8080:8080 -v $(pwd):/zap/wrk/:rw 
-t owasp/zap2docker-stable zap-api-scan.py 
-t https://apiv1.mydomain.com -f openapi -P 8080 
-c zap-casa-api-config.conf 
-x results-full.xml

Where:

• https://apiv1\.mydomain\.com is the URL to your test environment
• -P 8080 is the port to your app
• zap-casa-api-config.conf is the conf file downloaded from the CASA website

If you have a web app:

docker run -p 8080:8080 -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-full-scan.py 
-t https://example.com -P 8080 
-c zap-casa-config.conf 
-x results-full.xml -n example.context -U username

Where:

• https://example.com/ is your web app homepage
• zap-casa-config.conf is the configuration you created
• example.context is the context file you set up
• username is the username in case you have a login

5. Inspect the outputs

In the console, you should see if everything passed, if not, you will need to start debugging.

You will now also have a file called results-full.xml, this file contains even more info on what happened so, get the ID of the stuff that didn’t pass, open the XML and search for those ID’s to get more info.

I seriously recommend pasting the XML output of the failed cases to ChatGPT to get more context. It helped me quite a bit.

For me it was just a matter of setting a header and enabling HSTS in our Cloudflare certificates.

Repeat this until everything passes, once it does, you’re ready for the next step!

Next step: Coming soon!

Step 3: Submitting the form

Now head on to the survey (you should have a link to it in the email Google sent you) .

Upload the XML file and answer to all the questions.

Beware that there are many people complaining, specially on Reddit, that this process is a pain in the 🍑. The guys revising everything seem to not be super tech savvy.

I recommend, on the stuff that you did not answer “Yes” to, to explain it as if you were trying to explain it to a 10 year old. Otherwise they will keep asking for clarification. Be as transparent as possible.

There are people out there saying to just reply “Yes” to everything. I do not recommend this, so use it under your own discretion.

Step 4: Resolving issues

After submitting the survey, they should come back some days after the fact asking you for clarification on some things or for a re-scan. Keep replying to those until you get the certification!

Once they approve it you do not have to do anything, they will take care of sending it to Google and you should be notified when your app is published.