Google CASA 2025: Complete Guide to Cloud Application Security Assessment

• CASA is Google’s new security audit framework for cloud apps that handle sensitive Google user data. It’s built on the OWASP ASVS standard and uses risk based, multi tier testing Tier 1- 3 to ensure apps follow strong security controls.
• Apps accessing restricted scopes e.g. Gmail or Drive APIs must pass a CASA audit by a Google approved lab, then revalidate yearly. Tier 3 is the highest level lab verified and required for Google Workspace Marketplace badges.
• Typical assessment costs range from a few hundred to a few thousand dollars per year depending on tier. Authorized labs TAC Security, Leviathan, DEKRA, etc. handle the testing, reporting a Letter of Validation LOV to Google.
• Why it matters in 2025: With rising privacy regulations and Google’s strict OAuth policies, CASA compliance is now mandatory for apps that need wide Google data access. Failing to pass CASA can block your app’s approval or Google integration.

What Is Google CASA?

Google’s Cloud Application Security Assessment CASA is a standardized security review for cloud apps, created by the App Defense Alliance, an industry consortium led by Google . In practice, CASA is a security audit framework built on OWASP ASVS Application Security Verification Standard.

It defines a consistent set of baseline controls access control, architecture, cryptography, etc. that any Google integrated app must meet. CASA uses a risk based, multi tier approach: apps are classified by user count, OAuth scopes, data sensitivity, etc., and then tested accordingly.

Practically, CASA serves as a high assurance pentest for cloud apps. A Google empaneled lab performs a time limited, functional audit of your app’s externally accessible interfaces. This means the lab will do DAST dynamic analysis, review code SAST, and other checks but only on the app layer, not the cloud infrastructure.

The goal is to show that your app handles Google data securely and can promptly delete it on request.

Figure: Google Workspace Marketplace shows an Independent security verification badge on apps that passed a Tier 3 CASA audit.

Why CASA Matters in 2025

User trust and compliance Google now requires CASA for any app that requests restricted OAuth scopes those that provide broad access to Gmail, Drive, Calendar, Contacts, and other sensitive data.

In Google’s words, apps accessing restricted data… must undergo an annual security assessment by a Google approved third party. In short, if your app handles Google user data at scale, CASA is mandatory.

The stakes are high. Apps passing Tier 3 CASA earn a coveted security verification badge in the Google Workspace Marketplace. This badge signals to customers that the app has been rigorously audited.

In contrast, apps failing CASA may be denied API access or removed from listings. With 2025’s focus on data privacy and tightening API policies, CASA compliance is now a go/no go for Google integrations. It’s especially critical for enterprise or SaaS vendors who live and die by API trustworthiness.

Standardization and industry alignment CASA fills a big gap. Over the past decade, cloud infrastructure security has improved dramatically but application layer security still lags.

By aligning with OWASP ASVS and sponsoring a tiered framework, Google and the ADA are pushing the industry toward a common standard for app security.

In 2025, knowing CASA means you’re on the forefront of app sec best practices, not scrambling after a breach.

Who Needs a CASA Assessment?

• Any app using sensitive Google APIs:
  • The short answer, if your app wants to access restricted scopes of Google user data, think Gmail read/write, full Drive file access, or other broad permissions then a CASA assessment is required.
  • This includes server to server services, SaaS products, and workspace add ons that pull data from Google accounts. Google’s identity guidelines explicitly tie CASA to OAuth scope verification.

• Google Workspace Marketplace apps:
  • Even if you only build Google Workspace add ons or Marketplace apps, CASA can come into play.
  • To earn the Marketplace security badge which greatly boosts visibility, your app must pass a Tier 3 CASA audit.
  • In practical terms, any developer targeting enterprise customers via Google Workspace should budget for CASA.

• When else:
  • The CASA framework also appears in Google’s Data Portability and Workspace API policies.
  • For example, the Data Portability API policy Nov 2024 explicitly says, Required security measures for Restricted Scopes include following the Cloud Application Security Assessment CASA.
  • Likewise, the Workspace API policy Oct 2025 mandates CASA for any app with restricted scopes.
  • If your app falls under those policies, CASA is not optional, it's part of being in Google’s ecosystem.

Key point: Don’t confuse CASA with generic pen testing. It’s specifically for Google bound applications. If you only use non Google cloud services AWS, Azure or have no restricted scopes, CASA doesn’t apply. But if Google APIs are involved, CASA is the official requirement.

CASA Tiers and Requirements

CASA uses a three tier system to scale the assessment effort to the app’s risk.

• Tier 1 Self Assessment:
  • This is the lowest level. It may involve the developers running automated scans DAST/SAST against OWASP ASVS controls, but no formal third party audit.
  • Tier 1 covers apps with limited risk, few users, no sensitive scopes. It’s often just a checklist with internal testing.
• Tier 2:
  • Mid level. A Tier 2 app typically uses some sensitive scopes or has moderate user count. Here, you use authorized labs or certified scanners to review your app. Labs perform vulnerability scans and report issues.
  • Tier 2 still does not require full lab testing of all OWASP categories, but covers many critical checks.
• Tier 3 Full Lab Audit:
  • The highest level. Required for apps handling highly sensitive data or aiming for Marketplace trust badges.
  • A Tier 3 audit is a full third party security test: labs manually test all relevant OWASP ASVS categories authentication, access control, cryptography, etc. and produce a Letter of Validation LOV. It’s the most thorough and time consuming and expensive tier.

Figure: The CASA framework uses three risk based tiers for cloud apps. Each level has defined ASVS based requirements and testing scope.

All tiers share some common rules: the assessment focuses on the app itself not the cloud infra, and results must be updated annually.

Google requires each approved app to revalidate every 12 months. That means even after you pass, plan for a yearly retest. Also, any time you add new restricted scopes, you might need an updated CASA review.

CASA vs Regular Pen Testing

It’s worth noting how CASA differs from a generic pentest. CASA is narrower in scope: it tests the application layer according to OWASP ASVS controls. It doesn’t include, for example, attacking the cloud network or physical data centers.

For most Tier 3 audits, labs focus on web/API endpoints, mobile backends, and data storage as used by the app. Some OWASP categories like error handling or threat modeling are emphasized, whereas things like network sniffing are out of scope. In that sense, CASA is like a specialized web/mobile app pentest tailored for Google’s data integration scenario.

For cloud apps, you should still do broader pentests infrastructure, network, etc. separately. CASA compliments those efforts by guaranteeing coverage of key app controls. If you already have regular pentesting, you’ll find many overlaps. But don’t assume a generic pentest alone will satisfy Google: only a CASA report from an authorized lab gets you the official LOV.

How the CASA Assessment Works

Achieving CASA compliance is a multi step process. Here’s a high level how to for Google integrated apps:

1. Determine your tier and requirements. Check the App Defense Alliance or Google documentation to see which CASA tier applies. Factors include the number of users, user data sensitivity, and scopes. Use the CASA Accelerator if available: this tool lets you enter your existing certifications ISO 27001, PCI, etc. or test results to minimize duplicate checks. The goal is to map your app to the required OWASP ASVS controls for that tier.
2. Prepare internally. Before involving a lab, run your own vulnerability scans and code reviews. Ensure you’ve implemented the core ASVS Level 1 controls secure authentication, input validation, encryption at rest, etc.. Fix obvious issues and have evidence ready. This step often involves working with developers to address findings from SAST/DAST and threat models.
3. Engage an authorized CASA lab. Only Google approved labs can issue CASA Letters of Validation. Examples include TAC Security, Leviathan, DEKRA, Bishop Fox, etc.. Contact the lab with your app details. They will guide you through submitting your app URLs, credentials for testing.
4. Undergo the assessment. The lab will perform the tests corresponding to your tier. For Tier 3, expect manual tests on all 14 OWASP ASVS categories for ASVS 4.0, per CASA requirements. The lab will document vulnerabilities and advise on fixes some lab packages include remediation support. They then compile a report.
5. Receive and submit the Letter of Validation LOV. If you pass, the lab issues a signed LOV certifying CASA compliance. For Marketplace apps, this is your security verification badge pass. You submit the LOV and any other required docs to Google via the Cloud Console’s OAuth App Verification process.
6. Annual revalidation. After approval, plan to repeat the security assessment yearly. Google typically notifies you when it’s time. Keep your contact info updated so the right devs get the re certification reminder. Make necessary fixes during the year to stay in compliance.

Quick tip: Turnaround can be relatively fast. For example, one provider TAC Security advertises Tier 2 reassessment in 1- 3 weeks and Tier 3 in 2- 4 weeks once the lab has everything. However, delays in finding issues can add time. Budget a couple of months to be safe.

CASA Compliance Checklist

• Pre assessment: Internal scans DAST/SAST, threat model documentation, privacy policy, and least privilege scopes in place.
• Assessment: Official lab testing Tier 1/2/3 per your app. DAST, targeted SAST, config review, manual verification of controls.
• LOV Submission: Letter of Validation to Google, plus any scope justification especially if using highly restricted Gmail/Drive scopes.
• Post assessment: Remediate any findings labs often provide remediation guidance, then get reverified.

See our web application penetration testing services and cloud penetration testing posts for deeper pentesting methodology insights.

CASA Tier 2 vs Tier 3: A Quick Comparison

• Scope: Tier 2 covers many but not all ASVS controls often excludes very sensitive checks; Tier 3 covers all CASA controls and is required for highly sensitive data flows.
• Auditor Role: Tier 2 can use a combination of automated tools and lab verification; Tier 3 is always a hands-on lab audit.
• Cost: Tier 2 is cheaper, labs may offer one off tests or small retainer plans. For example, TAC Security lists Tier 2 plans from $540 to $1,800. Tier 3 is pricier; TAC’s Tier 3 plan is $4,500.
• Outcome: Both yield a letter of validation, but only Tier 3 grants the full Google Marketplace security badge and covers the strictest Google requirements.
• Update Frequency: Both need annual revalidation, but Tier 3 apps are locked in at that level each year.

Real World Example: Qlik’s Google Integration

Major data platforms have already gone through CASA.

For instance, Qlik Cloud achieved CASA Tier 3 certification for its integration with Google. Qlik’s trust page confirms

CASA Tier 3 is a security assessment framework based on OWASP ASVS that is mandated by Google Marketplace when cloud applications access sensitive scope data in Google Cloud.

In other words, Qlik proved its app security to Google’s standards and earned the independent security badge. This shows CASA is not just theory, it's a real requirement for enterprise cloud apps in production.

Common Myths and FAQs

• Myth: I already did a penetration test last year. While great, a generic pentest is not the same as CASA. Only a CASA specific audit by an approved lab satisfies Google’s rules.
• Myth: I’m a small app, I can skip it. There’s no revenue based waiver. Even small developers requesting restricted scopes are expected to comply. Tier 2 or even Tier 1 might suffice, but ignoring CASA risks your app being blocked.
• Myth: Once I have CASA, I’m done. No CASA is a continuous process. Google requires yearly revalidation, and you must stay compliant if you add new scopes or features.
• Tip: Leverage the CASA Accelerator. If you have existing certifications e.g. ISO 27001, PCI, etc., the accelerator can reduce overlap in testing. Ask your lab about it.

In 2025, CASA compliance isn’t optional, it's essential for Google integrated apps. By adopting the CASA framework as used by leaders like Qlik and mandated by Google, developers ensure their cloud applications are hardened against common threats and meet Google’s strict OAuth requirements.

The tiered approach means you can start small Tier 1 scans and work up as your app grows, but ultimately Tier 3 is the gold standard for maximum trust.

We hope this guide has clarified what CASA is, why it matters, and how to navigate its requirements. Remember: the goal is not just getting a badge, but truly securing your users’ data.

Ready to Strengthen Your Defenses? The security threats of 2025 demand readiness. If you’re integrating with Google APIs and need to validate your security posture, identify hidden risks, or build a resilient defense strategy, DeepStrike can help.

Our team of experienced practitioners provides clear, actionable guidance on penetration testing and security assessments.

Explore our penetration testing services to see how we uncover vulnerabilities before attackers do. Drop us a line we’re always ready to dive in.

About the AuthorMohammed Khalil is a Cybersecurity Architect at DeepStrike, specializing in advanced penetration testing and offensive security operations. With certifications including CISSP, OSCP, and OSWE, he has led numerous red team engagements for Fortune 500 companies, focusing on cloud security, application vulnerabilities, and adversary emulation. His work involves dissecting complex attack chains and developing resilient defense strategies for clients in the finance, healthcare, and technology sectors.

Frequently Asked Questions

• What triggers the need for a CASA assessment?
  • Requesting any Google API restricted scope like full Gmail or Drive access triggers CASA.
  • Also, Google may require it during OAuth app verification if your app handles sensitive data.

• Can I do CASA myself?
  • You can do much of the preparatory work scans, code review, but Google requires an authorized third party lab to perform the official CASA audit and issue the Letter of Validation.

• How much does a CASA audit cost?
  • Costs vary by lab and tier. Industry figures suggest Tier 2 audits start around $500- $1,000 one time or yearly, while Tier 3 audits are typically several thousand dollars TAC lists $4,500.
  • Budget for annual repeat assessments, as Google requires yearly renewal.

• What’s the CASA assessment turnaround time?
  • According to providers, Tier 2 audits can wrap up in about 1- 3 weeks and Tier 3 in 2- 4 weeks once testing begins.
  • Your overall timeline also depends on how quickly you fix issues and coordinate with the lab.

• How is CASA related to OWASP ASVS?
  • CASA is based on OWASP AS vs It essentially picks a subset of ASVS controls relevant to Google cloud apps.
  • In fact, CASA is based 100% on the OWASP ASVS; no proprietary requirements or confusing jargon.
  • Think of ASVS as the foundation and CASA as Google’s implementation roadmap.

• Do I need CASA if I only use OAuth sensitive, not restricted scopes?
  • Sensitive scopes like basic Gmail read typically require a simpler verification.
  • CASA specifically targets the restricted scopes those with very broad access.
  • However, it’s wise to follow CASA like controls for any app handling user data.

• What happens if I fail a CASA audit?
  • If critical issues are found, the lab will not sign off. You must remediate all showstoppers before getting the LOV.
  • Failing an audit means Google will not approve your app’s restricted scope or listing.
  • It’s not a pass/fail by law, but effectively your app won’t move forward without it.