
CASA is useful when:
- Target system is complex, or a system of systems
- Developer focus is on function, not security
- Target system is deployed in a hostile environment
- Target system is attractive to dynamic, adaptable adversaries
- Security trade-offs must be weighed
- The target system is new, or being used in a new application that may have unknown consequences
- Target system history shows previously discovered vulnerabilities
- A qualitative measure of system security is desired
- Need to establish or evaluate training and doctrine