Crack Google's CASA Review
Background
Google app scripts is a programming platform provided by Google to interact with Google Workspace. Because of its rich interfaces across spreadsheets, forms, drives, docs, slides etc, the app script development is becoming more and more popular. In order to publish an add-on at Google Workspace marketplace, the typical flow is to 1. Build the script app to solve a specific problem 2. submit for OAuth verification 3. submit for functionality review. CASA assessment is a newly added round of review in step2 if your app script app used restricted scope like writing permission of Google Drives. The author of this post just completed the CASA tier 2 assessment recently for his add-on DriveWorks (marketplace, github), but encountered so many issues during the process. The goal of this post is to clarify the flow of performing CASA review in a step by step way, aiming at helping other app script developers in the same situations.
Scope
Tiering
There is clear tiering definition for CASA assessment. As you could see, tier3 is lab tested and lab verified. Developers do not need to get involved during the process. Tier 1 is developer tested and developer verified. Labs do not need to get involved during the process. Most of the time, your app is required to perform a tier2 CASA assessment, which is the focus of this post.
App Type
This post is using workspace add-on as an example to showcase the flow of CASA assessment. However, CASA assessments includes many types of applications, including mobile applications, server-less applications, web applications, etc. You should select your own type based on your application.
Confusions
Before we go into the step by step guideline of CASA tier2 assessment, I’d like to highlight a few confusions and its conclusions that I had for my add-on.
Self assessment with open source tools (Do not spend time on this)
There was high level document provided by Google to show how to perform the assessment. In step2 (Scan Your App), there was a link (see below) to provide instructions on how to scan your applications with open source tools (FlowAttacks in my case).
I spend days to follow the instructions to make FlowAttacks work for my add-on (see commits). However, it turns out that developers should select a lab first for their app verification, then the lab will provide a tool for developers to use and the tool is usually NOT FlowAttacks.
Select the correct application type (Ask Google side reviewer for help)
During CASA review, you are going to be asked on the application type. Although there is a high level description from Google (see below), I had difficulties to map my applications to a type clearly. This also been discussed a lot in the app script community without a clear conclusion. I have been blocked by this issue for a long time, but eventually get answers from google side reviewers that an app script add-on belongs to Server-less application. As I mentioned earlier, CASA review covers many application types. If you are not sure on the type, ask Google side reviewer for help.
Is the assessment free? (Yes, it is, at least for my app, for now)
Before deciding to perform the assessment, I was concerned on the cost of assessment (if that is not free). There was blog post mentioned that the assessment fee would be 15K-75K, which is obviously too much for micro/small businesses like us. However, for my app, which used Google drive restricted scopes and performing a tier 2 CASA assessment, I am not asked to pay for the assessment yet. Maybe the cost is only required when performing tier 3 review? I really hope that is not the case, since it is hurting the ecosystem/users in Google workspace.
Step by Step Guide
Alright, let’s start the process with a step by step guide.
Select a lab. The first thing we need to do is to select a lab and create an account within the lab to perform the assessment. Google provides a list of lab to select from. In my case, I used PWC lab and my experience with the lab was quite good. After you select the lab, you need to create an account to perform the review.
Fill in app specific information. After you have an account and are in the portal, you are asked to create an entry, where you need to fill in information like GCP project ID, application name, Google’s tier 2 review notifications, etc.
Scan your application by following instructions. After the information is filled in, you are asked to begin the scan process (see pic below). For PWC lab, we are asked to scan with Fortify. Here are the detailed instructions provided. Essentially, user needs to use tools provided by the lab to compress their source code and upload for a scan. If your app passed or failed the scan, you will get notifications in the portal.
4. Fill in questionnaires for the app. After the Fortify scan test is passed. You need to fill in a list of questionnaires for your app, regarding whether you have proper protections in place for common security issues.
5. Iterate on issues and eventually get a LOV letter. You will be notified if there are issues when performing the assessments. After all these issues are fixed, you will finally be issued a LOV letter, which you should pass back to Google to complete the OAuth review.
Conclusions
Because of document out dated, no previous shared experience in the community, I encountered so many issues during the review for my add-on. The CASA review seems necessary to protect the users in the long run, but obviously discourages the app script developers since it is time consuming, confusing and quite hard sometimes. Hope this post give you a clear picture of how to perform the CASA tier 2 assessment, and you could do that yourself in the future. If this post solves your problem, saves your valuable time, please consider to buy me a coffee. Also note that this review is annual, which means we have to do the exercise every year. If you do not want to spend time on the review and wanted to offload this to a third party, please contact us at james.cui.code@gmail.com, we are providing low cost service to perform the tier2 CASA assessment for you.
Hi and thanks for this write-up.
I have a question about step 4 "Fill in questionnaires for the app"
My application is a Google Sheets Editor Addon and most, of not all, of the questions in the questionnaire seem completely irrelevant as a result, since they pertain to user account creation, initial password generation, password management, etc.
How did you go about filling in these questions in case your application was also a Google Addon, and would you recommend choosing "N/A" on questions that really are Not Applicable, or perhaps marking the questions as "Yes" given the Google ecosystem essentially takes care of this stuff?