CASA Tier 2 & Tier 3 Security Review: Providers and Pricing
Google's Cloud Application Security Assessment (CASA) program requires certain Chrome extensions (and other apps) that access sensitive or restricted Google user data to undergo independent security reviews. These reviews are conducted by authorized labs in the App Defense Alliance, and are classified into Tier 2 and Tier 3 assessments. Tier 2 generally involves a lab-validated vulnerability scan of the extension (developer performs scans using approved tools, with the lab reviewing and validating results), whereas Tier 3 is a comprehensive, lab-conducted penetration test of the application (including its infrastructure). Successful completion yields a Letter of Validation (LOV) from the assessor, and Tier 3 also confers an "Independent Security Verification" badge for Google Workspace Marketplace listings.
Comparison of CASA Assessment Providers (Tier 2 vs. Tier 3)
Below is a comprehensive comparison of all Google CASA-authorized security assessors (as of 2024) that offer Tier 2 and/or Tier 3 Chrome extension security assessments:
| Provider | Tier 2 | Tier 3 | Pricing | Turnaround | Google-Preferred |
|---|---|---|---|---|---|
| TAC Security | Yes | Yes | $540 (T2) / $4,500 (T3) | 1-3 weeks / 2-4 weeks | Yes |
| Leviathan Security | Yes | Yes | $800-$1,200 (T2) / $5,000-$8,000 (T3) | 2-3 weeks / 3-5 weeks | No |
| Bishop Fox | Yes | Yes | $1,500+ (T2) / $8,000+ (T3) | 2-4 weeks / 4-6 weeks | No |
| KPMG | Yes | Yes | Enterprise pricing | 4-8 weeks | No |
| NCC Group | Yes | Yes | $1,200+ (T2) / $7,000+ (T3) | 3-4 weeks / 4-6 weeks | No |
| NetSentries | Yes | Yes | $900-$1,500 (T2) / $5,500-$7,500 (T3) | 2-3 weeks / 3-5 weeks | No |
| Orange Cyberdefense | Yes | Yes | Custom pricing (South Africa) | 3-5 weeks | No |
| Prescient Security | Yes | Yes | $1,000+ (T2) / $6,000+ (T3) | 2-4 weeks / 4-6 weeks | No |
| GDS (Aon Cyber Labs) | Yes | Yes | Enterprise pricing | 4-6 weeks | No |
| DEKRA | Yes | Yes | Custom pricing (Germany) | 4-8 weeks | No |
Provider Profiles and Details
TAC Security (Preferred Partner)
Overview: TAC Security is Google's preferred partner for CASA assessments, based in India. They offer the most streamlined and affordable process for Chrome extension security reviews.
Services:
- Tier 2: Functional scan validation with guided remediation. Basic package starts at $540 per app, with premium options up to $1,800.
- Tier 3: Comprehensive security audit including penetration testing at $4,500 per app.
Key Features:
- Online portal (CASA.tacsecurity.com) for easy submission
- Fastest turnaround time (1-3 weeks for Tier 2, 2-4 weeks for Tier 3)
- 2 to unlimited re-scans included in the price
- Guided remediation support
- Transparent pricing and process
Leviathan Security
Overview: Leviathan Security is a USA-based security firm known for thorough security assessments and expertise in application security.
Services:
- Tier 2: Lab-verified scan with pricing ranging from $800 to $1,200 depending on app complexity.
- Tier 3: Full penetration test ranging from $5,000 to $8,000.
Key Features:
- Detailed security reports with actionable recommendations
- Experience with complex Chrome extensions
- Professional consultation throughout the process
- 2-3 weeks for Tier 2, 3-5 weeks for Tier 3
Bishop Fox
Overview: Bishop Fox is a well-established cybersecurity firm offering comprehensive security testing services, including CASA assessments.
Services:
- Tier 2: Starting at $1,500+ depending on scope.
- Tier 3: Comprehensive assessment starting at $8,000+.
Key Features:
- Enterprise-grade security assessments
- Extensive experience with application security
- Detailed vulnerability analysis and remediation guidance
- Longer turnaround times (2-4 weeks for Tier 2, 4-6 weeks for Tier 3)
KPMG
Overview: KPMG is a global professional services firm offering CASA assessments as part of their cybersecurity practice.
Services:
- Both Tier 2 and Tier 3 assessments available
- Enterprise pricing model (contact for quote)
- Typically serves larger organizations with compliance requirements
Key Features:
- Big Four firm reputation and expertise
- Comprehensive compliance and audit services
- Longer turnaround times (4-8 weeks)
- Higher pricing tier, suited for enterprise clients
NCC Group
Overview: NCC Group is a global cybersecurity consulting firm with extensive experience in application security testing.
Services:
- Tier 2: Starting at $1,200+ for lab-validated scans.
- Tier 3: Comprehensive testing starting at $7,000+.
Key Features:
- Global presence with local support
- Deep technical expertise in application security
- Detailed reporting and remediation support
- 3-4 weeks for Tier 2, 4-6 weeks for Tier 3
NetSentries
Overview: NetSentries is a cybersecurity firm specializing in application security assessments and penetration testing.
Services:
- Tier 2: Pricing ranges from $900 to $1,500 based on complexity.
- Tier 3: Full assessments ranging from $5,500 to $7,500.
Key Features:
- Competitive pricing for quality assessments
- Reasonable turnaround times (2-3 weeks for Tier 2, 3-5 weeks for Tier 3)
- Experienced security professionals
- Good balance of cost and thoroughness
Orange Cyberdefense (South Africa)
Overview: Orange Cyberdefense is part of the Orange Group, offering cybersecurity services including CASA assessments, primarily serving the South African market.
Services:
- Both Tier 2 and Tier 3 assessments available
- Custom pricing based on project scope
- Regional focus on African and European markets
Key Features:
- Regional expertise and support
- Part of larger cybersecurity organization
- Turnaround time of 3-5 weeks
- Good option for companies operating in Africa
Prescient Security
Overview: Prescient Security is a cybersecurity firm offering various security testing services, including CASA assessments.
Services:
- Tier 2: Starting at $1,000+ for validation scans.
- Tier 3: Comprehensive assessments starting at $6,000+.
Key Features:
- Professional security assessments
- Mid-range pricing
- 2-4 weeks for Tier 2, 4-6 weeks for Tier 3
- Detailed reporting and support
GDS (Aon's Cyber Labs)
Overview: GDS, part of Aon's Cyber Labs, provides enterprise-level security assessments including CASA reviews.
Services:
- Both Tier 2 and Tier 3 assessments available
- Enterprise pricing model
- Integrated with Aon's broader risk management services
Key Features:
- Enterprise-focused approach
- Integration with risk management and insurance services
- Longer turnaround times (4-6 weeks)
- Suited for large organizations with complex needs
DEKRA
Overview: DEKRA is a German-based testing and certification organization offering CASA assessments, primarily serving European markets.
Services:
- Both Tier 2 and Tier 3 assessments available
- Custom pricing based on project requirements
- Strong presence in European market
Key Features:
- European-based with local expertise
- Part of larger testing and certification organization
- Longer turnaround times (4-8 weeks)
- Good option for European companies with compliance requirements
Choosing the Right Provider
When selecting a CASA assessment provider, consider the following factors:
- Budget: TAC Security offers the most affordable option, especially for startups and small businesses. Enterprise clients may prefer established firms like KPMG or Bishop Fox.
- Turnaround Time: If you need quick certification, TAC Security offers the fastest turnaround times. Other providers may take 4-8 weeks or longer.
- Geographic Location: Consider providers with local presence if you need in-person consultations or have regional compliance requirements.
- Complexity: More complex extensions with extensive backend infrastructure may benefit from the deeper expertise of firms like NCC Group, Bishop Fox, or Leviathan Security.
- Support: Look for providers that offer guided remediation and re-scanning services, which can be valuable during the certification process.
Conclusion
The CASA program is essential for Chrome extensions that handle sensitive Google user data. While TAC Security stands out as Google's preferred partner with the most competitive pricing and fastest turnaround times, other providers offer valuable alternatives depending on your specific needs, geographic location, and organizational requirements.
For most developers and small to medium businesses, TAC Security's streamlined process and transparent pricing make it the most accessible option. Larger enterprises with complex compliance requirements may prefer established firms like KPMG, NCC Group, or Bishop Fox despite higher costs and longer timelines.
Regardless of which provider you choose, obtaining CASA certification demonstrates your commitment to security and builds trust with users who rely on your Chrome extension to access their Google data securely.