Skip to main content

Validate CASA tier 2 requirements

Fluid Attacks' Machine Standalone is recommended by the App Defense Alliance (ADA) for static scanning (SAST). You can use the scanner to verify tier 2 requirements of the ADA's Cloud Application Security Assessment (CASA) framework.

The CASA requirements are based on those in OWASP Application Security Verification Standard (ASVS), and failure to implement them is associated with CWE entries. To pass the assessment, an application must meet all 73 CASA requirements, no matter their CWE rating. Yearly revalidations are required.

At present, App Defense Alliance's instructions on using the tool are outdated. This page guides you through the correct procedure to successfully scan your application.

Run the scanner

Remember it is not necessary to create a Dockerfile to run the tool.

  1. Create a local directory where you will place the config.yaml file and the directory or files you want to scan. Your folder structure should look similar to this:
- home
  - fluid_scanner
    - my_app/
      - src/
      - package.json
    - config.yaml
  1. We recommend using the following config.yaml:
namespace: my_app
working_dir: /working-dir/my_app
output:
  file_path: /working-dir/Fluid-Attacks-Results.csv
  format: CSV
language: EN
apk:
  include:
    - glob(**/*.apk)
sast:
  include:
    - .
  exclude:
    # Directories created by package managers, e.g., node_modules, vendor, dist.
    - glob(**/node_modules/**)
sca:
  include:
    - .
tip

More information about the configuration keys can be found here.

  1. Open a terminal, change directories to the fluid_scanner (Or whichever directory you placed your application code and the config file)

  2. Run the following command to execute the scan

    docker run -v /your/local/dir:/working-dir fluidattacks/cli:arch skims scan /working-dir/config.yaml

    where arch is either amd64 or arm64.

tip

working-dir is just a placeholder for the directory name where you want to mount your local dir, you can use any name you want as long as you also remember to change it in the config.yaml file

  1. If everything goes well, the .csv file with the scan results should be next to the config.yaml file in the fluid_scanner folder

Troubleshoot

Please read the FAQ page if you encounter any problem.

free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.

Last updated on