Guide to Completing Casa Tier 2 Security Assessment for Google Apps Script
If you want to publish your Google Apps Script project on the Google Workspace Marketplace, or if you already have an add-on or app on this marketplace and are using authorization scopes which are now restricted, you will have to go through a TIER 2 CASA security assessment.
Today, I’m going to take you step by step through the Casa tier 2 security assessment for a Google Apps Script project.
1. Start the process
It begins with this email you will receive from Google, inviting you to start the security assessment
Download this email in PDF format, as you’ll need to submit it as part of the assessment process.
To do this, click on the 3 dots and then on “Print”.
Then, in the new tab, click on “Save as PDF ”as the destination, then “Save ”to download the e-mail.
Register to the PWC portal.
Create your new assessment by clicking on “Start new assessment”.
Then validate the creation:
Click on your new assessment ID:
Complete your application’s basic information.
FYI: For an Google Apps Script project, you can choose “Web Application” as the application type.
In particular, upload the Google email.
Then click on “Confirm”
2. Scan your Project
The code of your project requires a scan to make sure there are no vulnerabilities. PWC offers an online scan (you simply upload a copy of your code on their platform), which should be easier to use. Sadly it does not work with all Google Apps Script codes. It seems Editor add-ons can try this online scan, while Google Workspace add-ons and other projects using the Card Service will need to use another scanning solution.
In either case, we suggest you try the online scan first and switch to another method if it fails.
Default online Fortify scan
To download your code you can simply use clasp or download your github repository. For information, your Google Apps Script files need to have a .js extension to be analyzed.
Alternatively, you can copy past your code. To do this:
- Create a Folder with your application name.
- Create a file with name: Code.js
- Simply copy and paste all your Google Apps Script files into this file.
Use a personal scanning solution
If your Google Apps Script project doesn’t pass the default scan or you don’t want to be audited by a third party, you can use your own scanning solution.
To do this request to bypass default scan, by clicking on the “Request to bypass Fortify scan” button.
As a message you can enter the following text “I would like to bypass the Fortify scan, because I want to use my own scanning solution and submit those results for a prolonged manual assessment process”.
Then submit your request.
A few days later you should receive an email confirming that the bypass has been accepted.
Then to scan your Google Apps Script project you can read this documentation which explains step by step the entire process of scanning an Google Apps Script project.
3. Submit Survey and Scan result
Once you have completed the scan of your Google Apps Script code and the bypass is accepted, you’ll need to fill in the survey with information about your Google Apps Script project.
Warning: Many questions are very general and not adapted to a Google Apps Script project.
For your information: Answers you submit as “No” will cause your assessment to be rejected.
On a lot of questions, you’ll be tempted to select N/A because the question is not applicable to Google Apps Script code (eg: firewall, DNS,…) but the reviewers have no knowledge of Google Apps Script and usually N/A responses will not be accepted right away, triggering a lot of back’n’forth and explanations with the reviewers. Sadly, To speed the process, best to say Yes when not applicable to Google Apps Script.
4. Upload your Casa Scan result and submit the survey.
A few days later you should receive an email asking you to confirm your application name and website url. Note that if you have answered N/A on some questions and if your comments linked to N/A responses are not directly accepted, you will first be asked to provide additional information on your responses.
Simply confirm that the information is correct, or modify incorrect information.
After a few days, your project should be validated.
You will receive an LOV letter confirming that you are certified.
Note that best is to send this document to Google Auth team following the Casa tier 2 request email received at the beginning of the process as they are not in direct contact with the CASA reviewers from PWC. After that Google will update the status of your OAuth consent screen in the GCP project linked to your Google Apps Script project.
