Validate CASA tier 2 requirements | Fluid Attacks Help

Validate CASA tier 2 requirements

Cloud Application Security Assessment (CASA) requirements are based on the OWASP Application Security Verification Standard (ASVS). Failure to implement them is associated with CWE entries. A software application must meet all 73 CASA requirements, regardless of their CWE rating, to pass the assessment. Keep in mind that annual revalidations are required to maintain compliance.

Currently, App Defense Alliance's instructions on using Fluid Attacks' scanner are outdated. This page provides an updated guide to successfully scan your application and validate its compliance with CASA Tier 2 requirements.

Run the scanner

You do not need to create a Dockerfile to run Fluid Attacks' CASA-recommended scanner. Follow these steps to execute the scan:

  1. Create a local directory to store the config.yaml file and the directory or files you want to scan. Your folder structure should resemble this:

    - home/
        - fluid_scanner/
            - config.yaml
            - my_app/
                  # Place all the code you want to scan inside this "my_app/" folder

  2. Ideally, use the following config.yaml:

    3. namespace: my_app
    working_dir: /working-dir/my_app
    output:
      file_path: /working-dir/Fluid-Attacks-Results.csv
      format: CSV
    language: EN
    apk:
      include:
        - glob(**/*.apk)
    sast:
      include:
        - .
      exclude:
        # Directories created by package managers, e.g., node_modules, vendor, dist.
        - glob(**/node_modules/**)
    sca:
      include:
        - .
    Advice on configuration keys
    More information about the configuration keys can be found in Configure the tests by the standalone scanner.

  3. Open a terminal and change the directories to fluid_scanner (or whichever directory wherein you placed your application code and "config" file in).

  4. Run the following command to execute the scan:

    docker run -v /your/local/dir:/working-dir fluidattacks/cli:latest skims scan /working-dir/config.yaml

    5. Advice on directory nameworking-dir is just a placeholder for the directory name where you want to mount your local directory. You can use any name you want as long as you remember to change it also in the config.yaml file.

  5. If the scan completes successfully, the CSV file containing the scan results is created next to the  config.yaml file in the fluid_scanner folder.

    Troubleshoot

    Please read the FAQ page if you encounter any problems.

    Free trial message
    Free trial
    Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.