I am having a Google sheets (editor) add-on. Recently they have asked to reverify my app, because it was using a restricted scope (drive). Now I have updated the code and somehow I have manged to remove all restricted scopes from code. Then also they have asked to go for a Tier 2 security assessment for my application. Their email:
Hello Google Developer,
Thank you for your patience while we reviewed your submission for project my-project-name We need you to address the following items for us to continue your app’s verification:
You are required to complete a Tier 2 security assessment for your application by the following date: 2024-01-15. This assessment is required annually; to learn more, please visit the CASA website.
You have the following options to complete your assessment:
1 - Tier 2 Self Scan Using Open Source Tool
2 - Tier 2 Self Scan Using Commercial Tools
You can use any CWE-compatible app scanning tool(s) that meet the CASA scan requirements.
3 - Tier 2 Authorized Lab Scan Alternatively, we worked with the CASA authorized labs to provide a low cost Tier 2 alternative for developers who want to work with a lab to conduct the assessment. Contact any CASA authorized lab to conduct your Assessment.
NOTE: If you opt to complete a Tier 2 assessment with a CASA authorized lab, you are not required to initiate an assessment on the CASA portal and fill out the questionnaire.
Useful resources Refer to the following documentation for more information:
Important! Once you have addressed the issues above, reply directly to this email to confirm. You must reply to this email after fixing the highlighted issues to continue with the app verification process.
Need to make changes to your verification request?
Please make direct changes on the Cloud Console. Save and submit the changes when finished.
No longer need access to these scopes?
Please reply to this email to cancel the verification request.
Need other help?
For more information on OAuth Verification, you can read the terms or policies for the APIs or products your app uses, as well as the following resources:
Link to OAuth Verification FAQ
Thank you,
The Third Party Data Safety Team
I have tried to understand things, but I am not able understand all technical terms.
Question 1: I don't know whether I should go for FluidAttacks Free and Open Source CLI or other.
Question 2: In my case, which of the options in above image should be chosen ?
Edit: I emailed them the following. Their reply:
So I don't need to go for Casa verification for this app. But these questions should be answered. These will be useful to others and to me too for my other projects.
References:
For your first question I'd select FluidAttacks as my scan tool. Based on my interpretation of CASA's definitions, Google Add-ons fall under the Serverless banner (even more so than Web Apps) since a lot of the underlying infrastructure that drives them is provided by Google as its a cloud-based technology. So for your second question, and by process of elimination, your scan type would be "Static Scanning Procedures" - it supports serverless and its a non-custom CASA recommended option.