CASA
An industry-recognized security standard for web applications
CASA provides a consistent set of requirements for hardening web application security with a uniform approach to assessment
CASA
An industry-recognized security standard for web applications
CASA provides a consistent set of requirements for hardening web application security with a uniform approach to assessment
OVERVIEW
CASA gives developers a consistent, testable standard for securing web applications and web-accessible APIs. It defines a baseline set of security requirements with clear acceptance criteria.
Infrastructure security has advanced over the past decade, but the application layer remains where much of the risk lies. CASA focuses on the requirements that reduce the vulnerabilities most likely to expose user data.
CASA uses a risk-based approach, with the depth of review matched to the application's scope, the data it handles, and other application-specific factors.
Program Benefits
Common standard
Developers and platforms work from a single set of requirements that span ecosystems.
Consistent evaluation
Every application is measured against the same requirements and assessments.
Transparent process
CASA gives platforms and partners a shared view of how an application was assessed against the same requirements.
Certification Requirements
Every application within the CASA program is measured against a testing guide with defined categories.
AuthenticationÂ
Strong password security, disabling default accounts, and securing out-of-band verifiers
Session Management
Keeping authentication material out of URLs, invalidating sessions on logout and password change, securing session tokens, and protecting sensitive account changes
Access Control
Enforcing least-privilege access to data and APIs, securing OAuth integrations, and requiring multi-factor authentication for admin interfaces
Communications
Protecting data in transit with strong TLS and cryptography
Data Validation and Sanitization
Validating and sanitizing input, and safely handling untrusted file uploads
Configuration
Keeping components current, disabling debug modes, protecting against subdomain takeover, and securely storing secrets
Get Certified
CASA certification is handled through the Alliance's authorized labs, with the depth of review set by your assurance level. The Certify Your App page walks through the full process.