Title: My SaaS Passed CASA Tier 2 Assessment, and Yours Can Too. Here’s How!

If your SaaS integrates with Gmail APIs and needs Restricted Scopes (access to sensitive Gmail data, like reading emails or sending on behalf of a user), you must pass Google’s CASA Tier 2 Assessment.

CASA (Cloud Application Security Assessment) Tier 2 is Google’s way of ensuring apps meet high security and data protection standards. It involves third-party security testing, including scans for vulnerabilities, compliance with security best practices, and submission of a Letter of Validation (LOV). If your app relies on Gmail APIs with Restricted Scopes, passing this assessment is non-negotiable.

For context, I run a SaaS that automates workflows using Gmail and Slack (https://tryworkloop.com). For example, one workflow parses Gmail threads for specific keywords, sends a Slack notification with the summary, and triggers an AI Agent to draft an email response.

Here’s a step-by-step breakdown of how I passed CASA Tier 2 for my app:

How to Pass CASA Tier 2

1. Choosing a Vendor: I went with TAC Security and opted for their unlimited revalidation plan ($720 with a discount). They offer two options:
   • SAST: Source code review/scan
   • DAST: Application-level vulnerability scans (no source code required)

I chose DAST since I didn’t want to share my code.

1. Vulnerability Scanning:
   
   After scheduling the scan, it took 3-4 days to complete. TAC provided a detailed PDF report listing vulnerabilities and updated their dashboard with the same info.

2. Patching & Reporting:
   
   TAC required me to patch all valid vulnerabilities, but I successfully argued that some weren’t applicable to my app, and they marked those as resolved.

3. Self-Assessment Questionnaire (SAQ):
   
   TAC sent me a 50+ question SAQ, which felt overwhelming at first. It’s not mandatory to implement everything, but I recommend doing so for your app’s security and user trust.

4. Revalidation:
   
   After addressing the issues and completing the SAQ, I sent my app for revalidation. TAC confirmed all patches and sent an updated report marking everything as resolved.

5. LOV Submission:
   
   The final step involved sharing app details via email and submitting the LOV (Letter of Validation). After some back-and-forth, I received confirmation of approval!

Tips for the Process

• Know Your Stack:
  
  My stack includes a Next.js web client and a Node.js GraphQL backend. Using GraphQL helped me avoid vulnerabilities like parameter injection and path traversal.

• Pre-Scan Your App:
  
  Tools like OWASP ZAP can help you identify critical issues before the official scan, saving time.

• SAQ Best Practices:
  
  Some recommendations I implemented:

  • Invalidating sessions when passwords are changed
  • Enforcing strong password policies
  • Encrypting sensitive data
  • Role-Based Access Control (RBAC) with automated tests

• Use Your Cloud Provider:
  
  
  Many SAQ items can be offloaded with answers like “My cloud provider handles that,” e.g., CI/CD pipelines, key management, and DNS management.

This process can feel daunting, but passing CASA Tier 2 ensures your app meets Google’s high standards and builds trust with your users. Let me know if you have any questions—I’m happy to share more about my experience!