You are here:

CASA Certification for Web Applications and APIs: The Engineering Guide to AL1/AL2 Assessment

Businessman monitoring a Cyber Risk Assessment dashboard to evaluate CASA certification readiness for web applications and APIs.

TL;DR

  • CASA (Cloud Application Security Assessment) is the App Defense Alliance (ADA) certification scheme for web applications and web-accessible APIs, now maintained by the ASA Working Group and built on OWASP ASVS.
  • Two assurance levels: AL1 (Verified Self-Assessment) — the developer submits evidence and compliance statements for every audit test case, including required automated scan artifacts, and an ADA-approved lab reviews that evidence without directly testing the app. AL2 (Lab Assessment) — the lab evaluates every audit test case directly against the running application, with the developer providing limited supporting information or code snippets on request.
  • CASA is organized into six control domains: Authentication, Session Management, Access Control (including OAuth 2.0), Communications (TLS/crypto), Data Validation and Sanitization, and Configuration.
  • Scoping determines which first-party components and third-party APIs handling sensitive operations (auth, user data mutation, account recovery) fall inside the assessment boundary — this is usually the single biggest source of quote and timeline disputes.
  • A CASA assessment does not replace a full penetration test, a secure SDLC, or privacy compliance — it verifies a defined, testable subset of OWASP ASVS-aligned controls.
  • ValueMentor is pursuing/holds ADA Authorized Lab status for the applicable CASA profile — verify current listing status before publication — and runs assessor-led scoping, evidence-pack review, and certification-submission support for both AL1 and AL2 engagements.

Not sure whether your last web pentest actually maps to CASA’s audit test cases? Book a 30-minute CASA scoping call and get a preliminary breakdown of which of your existing evidence (SAST/DAST reports, pentest findings, config baselines) already satisfies specific CASA controls versus what still needs to be generated.

Introduction

Most engineering teams don’t worry about security until someone asks a simple question:

“Can you prove your application is secure?” That’s when the real challenge begins.

You may have penetration test reports, vulnerability scans, secure coding practices, and months of remediation work behind you. But when a platform, customer, or business partner asks for evidence that your web application or API meets a recognized security standard, scattered reports and security claims are rarely enough.

This is exactly where CASA comes in. Instead of asking whether you’ve “done security,” CASA asks whether you can demonstrate it through measurable controls, verifiable evidence, and a standardized assessment process.

In this guide, we will break down what CASA certification really means, how AL1 and AL2 assessments differ, the controls that matter most, and how your team can prepare without turning the assessment into a last-minute scramble.

What CASA Actually Certifies (and What It Doesn’t)

CASA — formally the ADA Web/API security profile, previously published as the ADA Web App Profile and before that as CASA v2 — defines testable, acceptance-criteria-driven requirements derived from OWASP ASVS. The working group’s explicit design goal was automation-friendly, binary-outcome test cases rather than broad advisory guidance. That’s why every control below maps to a specific Spec ID with a pass/fail audit statement, not a narrative recommendation.

What’s in scope by default:

  • The target web application(s) as a logical service group, plus shared first-party backend components/APIs they depend on.
  • Third-party product APIs that perform sensitive operations — authentication, user data access/mutation, account recovery — but only against the Authentication, Session Management, and Access Control requirements, and only for the components/configurations your application actually uses.

What’s explicitly out of scope:

  • Third-party APIs your application doesn’t call.
  • Non-sensitive operations on third-party APIs (e.g., an analytics ingestion endpoint that never touches user data).
  • Full penetration testing outside the ASVS-aligned control set, general secure SDLC maturity, and privacy/regulatory compliance (GDPR, CCPA, etc.) — CASA doesn’t attest to any of these.

AL1 vs. AL2: What Actually Changes Operationally

 AL1 — Verified Self-AssessmentAL2 — Lab Assessment
Who tests the appYou do, against each audit test caseThe ADA-approved lab, directly
What the lab doesReviews your submitted evidence and compliance statements per test caseIndependently executes/validates each test case against the live application
Evidence burdenYou must produce a verified self-assessment package: automated scan artifacts, configuration exports, and documented compliance statements for every Spec IDYou provide the app, environment access, and limited supporting artifacts or code snippets only where the lab requests them
Typical triggerPlatform or partner requirement for a lighter-weight, evidence-based attestationHigher-risk applications, platform requirements mandating an Authorized Security Testing Lab (ASTL), or when self-assessment evidence can’t be independently substantiated

The distinction that trips up engineering teams: AL1 is not “paperwork only.” It requires the same automated scan coverage (SAST/DAST/dependency scanning outputs) that would inform AL2 — the difference is who executes the live verification against the application, not whether technical evidence is required at all.

CASA Control Domains, Audit Test Cases, and Assessment Evidence

The table below maps each CASA control area to the actual Spec IDs from the current specification, what an assessor does at each one, and what typically fails in practice.

Assessment areaRelevant requirement or controlWhat the assessor tests or reviewsEvidence the development team should provideCommon failure patternRecommended pre-assessment action
Authentication1.1 Password security (brute-force resistance, initial-password expiry, offline-attack-resistant storage)Rate-limiting/lockout behavior under automated credential-stuffing simulation; password hash algorithm and work factor; expiry of system-generated activation codesSAST/DAST scan output covering auth endpoints; password hashing config (e.g., bcrypt/argon2 parameters); rate-limit/WAF rulesMissing or IP-only rate limiting that’s trivially bypassed with rotating headers or distributed sourcesRun an authenticated DAST pass specifically against login/reset endpoints before submission
Authentication1.2 Default accounts disabled on public interfacesAttempts default/known credential pairs against publicly exposed login surfacesInventory of all public-facing accounts and provisioning workflow documentationDefault admin accounts left active on staging environments that are technically internet-reachableRun an external attack-surface scan to confirm no forgotten default-credential endpoints are exposed
Authentication1.3 Out-of-band verifier randomness/reuse (SMS/email OTP)Entropy and reuse of OTP/verification codes; expiry window; brute-force resistanceOTP generation logic or code snippet; expiry configuration; rate-limit config on the verification endpointPredictable or sequential OTPs, or codes that remain valid after first useVerify OTP generation uses a CSPRNG and enforce single-use + short TTL server-side
Session Management2.1–2.4 URL exposure of authentication material, logout/expiration invalidation, Secure/HttpOnly cookie flags, re-auth on sensitive actionsInspects URLs/logs for tokens in query strings; triggers logout/password-change flows and checks token revocation; inspects Set-Cookie headers; attempts sensitive account changes on a stale sessionHAR captures or DAST logs showing no tokens in URLs; session invalidation logic; cookie configurationRefresh tokens that remain valid after logout because only the access token is revokedConfirm logout invalidates all stateful tokens, including refresh tokens, server-side
Access Control3.1 Least-privilege access control, IDOR protection, anti-CSRF, secure failureSystematic IDOR probing (horizontal/vertical privilege escalation) via parameter manipulation; CSRF token validation; error-handling fail statesAPI access-control matrix; anti-CSRF token implementation; authorization middleware code snippetsObject references (order IDs, user IDs) that are sequential and lack ownership checks server-sideRun an authenticated IDOR sweep across every object-returning endpoint prior to assessment
Access Control3.2 Secure OAuth 2.0 integrationsConfirms only Authorization Code Flow (with PKCE where applicable) is used; validates `redirect\_uri` allowlisting and `state` parameter enforcementOAuth flow diagrams; client configuration showing PKCE enablement; redirect URI allowlistImplicit Flow still enabled for legacy clients, or `redirect\_uri` validated with a loose substring match instead of an exact allowlist matchMigrate any remaining Implicit or Resource Owner Password Credentials flows and lock `redirect\_uri` matching to exact-string allowlists
Access Control3.3 MFA on exposed administrative interfacesAttempts access to admin-layer functionality; confirms MFA enforcement and that infrastructure-layer admin is not internet-exposedAdmin interface inventory; MFA enforcement configurationApplication-layer admin panel reachable externally without MFA, distinct from infrastructure console accessEnforce MFA on every internet-reachable admin route and confirm infrastructure consoles are never public
Communications4.1 TLS configuration, trusted certificates, weak-crypto elimination, secure crypto failure modesTLS configuration scan (cipher suites, protocol versions); certificate trust chain validation; padding-oracle and weak-cipher testingServer TLS configuration export; certificate chain documentation; internal CA trust listSelf-signed or internal CA certificates trusted server-wide instead of pinned to specific issuersRun a TLS configuration scan and restrict trust to explicitly listed internal CAs/certificates
Data Validation5.1 Injection defenses (XSS, SQLi, OS command injection, SSRF, XPath/XML injection, template injection, HTTP parameter pollution, unsafe eval)Automated and manual injection testing across all input vectors; output-encoding verification; SSRF probing against internal metadata endpointsSAST results covering input handling; DAST scan results across all parameters; allowlist configuration for redirectsSSRF via unvalidated outbound requests reaching internal cloud metadata services (e.g., 169.254.169.254)Add egress allowlisting/validation on any server-side outbound request feature before assessment
Data Validation5.2 Secure handling of untrusted file uploadsUploads disallowed file types/extensions; checks for direct execution of uploaded contentFile-type allowlist configuration; storage/execution isolation architectureUploaded files served from the same origin/path structure that allows execution as server-side or client-side codeServe uploads from a separate, non-executable origin or object storage with strict content-type enforcement
Configuration6.1–6.7 Component patching, debug modes, Origin-header trust, subdomain takeover, credential/payment logging, browser storage clearing, secrets managementDependency/CVE scanning; probes for exposed debug endpoints/stack traces; DNS/CNAME audit for dangling records; log review for sensitive data; browser storage inspection post-logout; secrets-store configuration reviewSCA/dependency scan reports; production configuration confirming debug disabled; DNS zone file; log sampling; secrets management architecture (e.g., vault/KMS configuration)Dangling CNAME records pointing to decommissioned third-party services, enabling subdomain takeoverRun a DNS/CNAME audit against all subdomains and remove or reclaim any pointing to deprovisioned services

Have an existing pentest report and want to know which rows above it already covers? Send us your latest test summary and we’ll return a gap map showing which CASA Spec IDs are already substantiated versus which need new evidence — before you scope a full engagement.

Testing Methodology: How the Evidence Actually Gets Generated

CASA’s control set assumes automation-first verification wherever a test case can be made binary. In practice, a CASA-aligned technical program layers four testing vectors:

  • SAST (Static Application Security Testing) against the application codebase — surfaces injection-prone patterns (unsanitized eval() usage, unparameterized queries), insecure cryptographic calls, and hardcoded secrets before runtime testing even starts. This directly feeds Spec IDs under 5.1 and 6.7.
  • DAST (Dynamic Application Security Testing) against a running instance — authenticated and unauthenticated crawl-and-attack passes covering the OWASP ASVS-aligned injection, session, and access-control test cases (2.x, 3.1, 5.1).
  • Configuration audits — TLS/cipher suite scanning, DNS/CNAME review for subdomain takeover exposure (6.4), dependency/CVE scanning for outdated components (6.1), and cloud/server hardening checks against baselines consistent with CIS Benchmark guidance.
  • Manual verification — IDOR chains, OAuth flow inspection (redirect_uri/state validation), business-logic abuse cases, and anything a scanner can flag but not conclusively confirm — these are the test cases most likely to require AL2-level, hands-on lab execution rather than self-assessment evidence.

Across web/API assessments generally, OAuth redirect\_uri validation and session/refresh-token invalidation on logout are two of the more frequently underspecified controls — teams often correctly revoke the access token on logout while leaving a long-lived refresh token active, which fails Spec 2.2.1 even though the visible login/logout UX appears correct.

Common Objections We Hear Before Teams Scope a CASA Assessment

We already run web penetration tests — don’t they cover this?

Possibly some of it. A general web pentest and a CASA assessment can overlap heavily on injection and access-control testing, but a pentest report isn’t structured against CASA’s specific Spec IDs, and pentests frequently don’t isolate OAuth flow validation, session-token lifecycle behavior, or configuration controls like DNS/subdomain-takeover exposure with the same granularity CASA’s audit test cases require. The practical question isn’t “do we have security testing,” it’s “can we map our existing evidence line-by-line to each Spec ID,” which is exactly what a scoping review checks before you commit to a full assessment.

We don’t know if our authentication, OAuth, and TLS setup would pass.

This is precisely what assessor-led scoping and a readiness assessment resolve before the formal, submission-grade assessment starts — cheaper to find a gap in a scoping call than mid-assessment.

We need clarity on scope before committing budget.

First-party components, shared backends, and any third-party API touching authentication or user data are candidates for inclusion — but the exact boundary (which services, which environments, which third-party integrations) has to be defined per application. That definition step is a deliverable in itself, not something to assume from a template.

How ValueMentor Approaches CASA Engagements?

ValueMentor is an ADA Authorized Lab for the applicable CASA profile (verify current authorized-lab listing before relying on this for a specific engagement), and structures CASA work around the assessment lifecycle rather than remediation:

  • Assessor-led scope definition — first-party target application(s), shared backend/API dependencies, and in-scope third-party sensitive-operation APIs are documented and agreed before testing starts, directly addressing the scope ambiguity most teams flag as their biggest blocker.
  • Web and API test coverage mapped to every CASA Spec ID across Authentication, Session Management, Access Control (including OAuth 2.0 flow and redirect/state validation), Communications, Data Validation, and Configuration.
  • Evidence-pack review — for AL1 engagements, verification that submitted SAST/DAST artifacts, configuration exports, and compliance statements actually substantiate each test case rather than describing intent.
  • Finding validation and certification-submission support — findings are validated against CASA’s acceptance criteria and packaged for the certification workflow; ValueMentor does not issue the final certificate — that determination is made by the Alliance certification body.

Applications integrating multiple third-party authentication or payment APIs tend to under-scope the third-party boundary — teams often assume a vendor’s own security posture “covers” the integration, when CASA specifically requires testing the sensitive-operation-handling configuration *as used by the target application*, not the vendor’s platform in isolation.

CASA does not replace a full secure SDLC program, privacy compliance work, or broader penetration testing outside its control set — and no assessment can guarantee certification outcome, a fixed timeline, or zero findings. What a structured scoping and evidence-review process can do is reduce the number of assessment cycles needed to reach a submission-ready state.

Frequently Asked Questions


What is CASA certification?

CASA (Cloud Application Security Assessment) is the App Defense Alliance’s certification scheme for web applications and web-accessible APIs, built on OWASP ASVS and executed through ADA-authorized labs at either AL1 (verified self-assessment) or AL2 (lab assessment) assurance levels.


How is AL1 different from AL2 in practice?

AL1 requires the developer to generate and submit evidence — including automated scan artifacts — for every audit test case, which an authorized lab then reviews. AL2 requires the lab to directly execute each test case against the live application, with the developer supplying supporting information only where requested.


Does passing a general web penetration test satisfy CASA?

Not automatically. Overlap exists, particularly on injection and access-control testing, but CASA’s audit test cases require specific, ID-mapped evidence — including OAuth flow validation, session-token lifecycle behavior, and configuration controls that a general pentest report typically isn’t structured to demonstrate directly.


Who issues the final CASA certificate?

The Alliance certification body verifies and issues the final certification outcome; an authorized assessment lab validates findings and supports the submission but does not issue the certificate itself.


What’s out of scope for a CASA assessment?

Third-party APIs the target application doesn’t use, non-sensitive third-party operations, and anything outside the defined ASVS-aligned control set — including broader secure SDLC maturity and privacy/regulatory compliance.

Conclusion

CASA isn’t just another security checklist to complete or another certification to display on a website. It reflects a growing shift in how application security is evaluated—from saying an application is secure to proving it with evidence.For many organizations, the assessment itself isn’t the hardest part. The real challenge is understanding what’s in scope, knowing whether existing security testing actually satisfies CASA requirements, and identifying the gaps before they become costly delays.

The teams that approach CASA as a readiness exercise rather than a compliance obligation often gain something far more valuable than certification: a clearer understanding of their application’s security posture and greater confidence in the systems they’ve built. Whether you’re pursuing AL1 or AL2, investing time in preparation today can make the assessment smoother, strengthen your security program, and help you build lasting trust with customers, partners, and stakeholders.

Ready to see where your application stands against the actual Spec IDs above? Request a CASA readiness assessment scoping call with ValueMentor and you’ll receive a preliminary scope breakdown covering which first-party and third-party components would fall in-boundary, which of your existing SAST/DAST/pentest evidence likely maps to specific controls, and what an AL1 versus AL2 path would look like for your architecture.

Table of Contents

Protect Your Business from Cyber Threats Today!

Safeguard your business with tailored cybersecurity solutions. Contact us now for a free consultation and ensure a secure digital future!

Ready to Secure Your Future?

We partner with ambitious leaders who shape the future, not just react to it. Let’s achieve extraordinary outcomes together.

I want to talk to your experts in:

Related Blogs

Business professional reviewing a secure mobile application with floating security scan progress, risk score, and compliance checklist, illustrating MASA certification for mobile applications.
Software engineer performing DASA certification security assessment for Windows, macOS, and Linux desktop applications using an enterprise cybersecurity dashboard.
Sleek computer monitor showcasing a modern dark-mode web application dashboard, representing the transformation toward agile, personalized digital experiences powered by AI, microservices, and enterprise-grade cybersecurity.