Please be advised that due to recent changes by Google this article could be out of date.
If you have any queries, please contact support.


Since February 15, 2024, Google introduced stricter requirements for applications using OAuth with restricted scopes. nomorePAPER's Google Connectors make use of a restricted scope (https://www.googleapis.com/auth/drive) and if you're running a branded website (WaaS) or have the system on a private server you might receive a request from Google to udergo a Cloud Application Security Assessment (CASA).


This article covers all the information to complete the certification which applies to nomorePAPER’s Google API account. If you receive the request you will need to follow the same steps, except when performing the scan; we can provide you with the scan results from our certification.


In this article

  • Initial Steps
  • Perform the scan
  • Submit results

Initial Steps

  1. Receive a request from Google to undergo the CASA certification process.

  2. Register on the CASA portal.

  3. Choose to Start New Assessment, and fill in the details.

  4. Select the option to Request to bypass Fortify Scan.

  5. Provide this message as a reason for the request:

    We appreciate the importance of security scanning. However, due to significant intellectual property in our source code, we can only upload the code for analysis with a signed Non-Disclosure Agreement (NDA) in place.

    Fortunately, the App Defense Alliance recommends the FluidAttacks Free & Open Source CLI tool for static application security testing (SAST). This tool lets us perform automated scans directly on our machines without uploading the source code. We are comfortable using this approach to ensure our application's security while protecting confidential information.

  6. Click on Survey and fill in all the required information - items marked with an asterisk (*).

  7. For specific questions, use the information below:

    1. Upload industry certifications
      N/A

    2. Did you perform a DAST scan or SAST scan?
      SAST

    3. Did you use custom-built software to perform your SAST scan? Or did you use a pre-approved SAST scanning tool?
      I used a pre-approved tool.

    4. Did the scanning policy used to scan your application cover the required CASA CWEs for SAST scans?
      Yes

    5. Confirm that your SAST scan was performed against the latest production version of your application repository.
      Tick


Click Save As Draft

Perform the scan

Request the latest scan results from nomorePAPER at support@gonomorepaper.com

Submit results

  1. Sign back into the CASA portal and continue with the assessment.

  2. Upload the results file at the end of the assessment and click Next.

  3. Answer the questions as follows:


Question

Answer

Architecture, Design and Threat Modeling

Are all the application's trust boundaries, components, and significant data flows documented and justified? 

Yes

Do trusted enforcement points enforce access controls (e.g. access control gateways, servers, and serverless functions, enforce access controls, etc)?

Yes

Is sensitive data identified and classified into protection levels?

Yes

Do all protection levels have an associated set of protection requirements and are applied in the architecture (e.g. encryption requirements, integrity requirements, retention, privacy and other confidentiality requirements)?

Yes

Is the application free of unsupported, insecure, or deprecated client-side technologies such as NSAPI plugins, Flash, Shockwave, ActiveX, Silverlight, NACL, or client-side Java applets?

Yes

Session Management

Do cookie-based session tokens utilize the 'SameSite' attribute to limit exposure to cross-site request forgery attacks?

Yes

Validation, Sanitization and Encoding

Are security controls implemented to prevent LDAP injection?

N/A

Is your application protected against Local File Inclusion (LFI) or Remote File Inclusion (RFI) attacks?

Yes

Stored Cryptography

Does your application process or store any regulated private data, such as personally identifiable information (PII), sensitive personal information, or data assessed likely to be subject to EU’s GDPR?

Yes

Does your application encrypt this data while at rest?

Yes

Does your application process or store any regulated health data, such as medical records, medical device details, or de-anonymized research records?

No

Does your application process or store any regulated financial data, such as financial accounts, defaults, or credit history, tax records, pay history, beneficiaries, or de-anonymized market or research records?

No

Are serialized objects encrypted to prevent hostile object creation or data tampering?

Yes

Where is encryption being performed ? If encryption is occurring at more than one level in the application stack, please select each level where encryption is taking place. Select all that apply.

  1. Application Level

  2. Database Level

  3. Filesystem Level


Which cryptographic algorithm is in use? Please select the corresponding key type:

aes256-gcm96

Is data at rest encrypted by default or through managed server side encryption (SSE)? Select managed server-side encryption if you are configuring cryptographic keys yourself through a key management platform. This includes both customer-managed keys (CMEK) and customer-supplied keys (CSEK/BYOK). Select default encryption if your storage location automatically encrypts its contents (eg Google Cloud Storage).

Default

Are cryptographic operations processed using constant-time methods, with no 'short-circuit' operations used in comparisons, calculations, or returns?

Yes

Malicious Code

Does your application employ integrity protections, such as code signing or subresource integrity?

Yes

Does your application prevent code from untrusted sources from being loaded or executed?

Yes

Does your application have protection from subdomain takeovers if the application relies upon DNS entries or DNS subdomains?

Yes

Does your application ensure that DNS names in use are regularly checked for expiry or change?

Yes

Business Logic

Does your application have anti-automation controls to protect against excessive calls such as mass data exfiltration, business logic requests, file uploads or denial of service attacks?

Yes

Files and Resources

Are files obtained from untrusted sources stored outside the web root, with limited permissions?

Yes

Are files obtained from untrusted sources scanned by antivirus scanners to prevent upload and serving of known malicious content?

Yes

API and Web Service

Are API URLs free of sensitive information, such as the API key, session tokens etc?

Yes

Are authorization decisions made at both the URI, enforced by programmatic or declarative security at the controller or router, and at the resource level, enforced by model-based permissions?

Yes

Are RESTful HTTP methods enabled to enforce least privilege, such as preventing normal users from using DELETE or PUT on protected API or resources?

Yes

Build and Deploy

Are application build and deployment processes performed in a secure and repeatable way (e.g. CI / CD automation, automated configuration management, and automated deployment scripts)?

Yes

Can the application, its configurations, and any dependencies be re-deployed using automated deployment scripts, built from a documented and tested runbook in a reasonable time, or restored from backups in a timely fashion?

Yes

Are authorized administrators able to verify the integrity of all security-relevant configurations to detect tampering?

Yes

Are any web or application server and application framework debug modes disabled in production?

Yes

Does the application ensure that the supplied Origin header is not being used for authentication or access control decisions?

Yes


  1. Once you have submitted the survey, return to the assessment home page and ensure the status has changed to Submitted. You now have to wait until you hear back. Monitor your emails and sign back in weekly to check for an update.

  2. Eventually, the assessment will be completed, and you will be issued a certificate.