Evaluation Division

HUNGUARD Ltd. is engaged in the evaluation of software products and systems for security and security-related legal compliance.

The primary objective of the evaluation of software products is to provide an understandable, acceptable and usable indication of the quality and safety of the product, and to provide a good basis for the various stakeholders – developers, suppliers, customers, users, evaluators, certification bodies – to use the software features.

 

Our evaluation division applies the following methodologies in the following two main areas:

1. Information security evaluation of software products

This evaluation methodology is applicable to business and safety-critical software products, with many years of experience, we carry out our evaluations mainly in the following target areas:

  • Network and mobile software security

Standards: OWASP Application Security Verification Standard and OWASP Mobile Application Security Verification based on the OWASP Application Security Verification Standard (supplemented by the OWASP Web Security Testing Guide) and the OWASP Mobile Application Security Verification Standard (supplemented by the OWASP Mobile Security Testing Guide) methodologies.

  • Software Security

The assessment follows the requirements of the model defined in ISO/IEC 15408 and ISO/IEC 18045, which contains the corresponding assessment methodology. The final output of the assessment is an evaluation report based on the ISO/IEC 18045 methodology.

The assessment is based on various developer evidence – safety case, safety plan documents, guidance documents, lifecycle support documents, testing documents, and the executable and testable software itself – and focuses on the safety attribute defined in ISO/IEC 25010.

Our laboratory has developed detailed methodological procedures for the seven levels of assurance defined in ISO/IEC 15408: EAL2, EAL3, EAL4.

  • Security of electronic signature software products

The standard defining the assessment is Electronic Signatures and Infrastructures (ESI); Policy and security requirements for applications for signature creation and signature validation ETSI TS 119 101 International Standard, using the assessment methodology defined by NIST SP 800-53A

  • Cryptographic security

This evaluation methodology is applicable to software modules implementing cryptographic mechanisms.

The assessment of the cryptographic security of software products is based on the model defined in [ISO/IEC 19790] (Security requirements for cryptographic modules).

Our laboratory has developed a detailed methodology for Level-1 of the four security levels defined in [ISO/IEC 19790], based on the ISO/IEC 24759 assessment methodology.

 

2. Security assessment of information systems

This assessment procedure is applicable to business and safety-critical IT systems. The assessment is based on various developer evidence – system security roadmaps, security plans, guides, test documentation – and focuses on the security attribute defined in ISO/IEC 25010.

The assessment for the systems in operation is based on the NIST SP 800-53A (Assessing Security and Privacy Controls in Federal Information Systems and Organizations Building Effective Assessment Plans) assessment methodology, where the requirements to be assessed are either contained in the NIST 800-53 rev4 (Security and Privacy Controls for Federal Information Systems and Organizations) document (for low, moderate and high levels) or in the BM Regulation 41/2015 (VII.15.) issued as a harmonization of this document (for security classes 1-5). The assessment requirements may be complemented by other requirements in some user areas, as defined in legislation, and accordingly the main assessment areas are:

  • IT system security / IT security compliance assessment (based on the requirements of NIST SP 800-53 or BM Regulation 41/2015 (VII.15.)
  • Electronic signature systems (based on ETSI TS 119 101, MSZ EN 419241-1)
  • Paper-to-electronic conversion / Electronic conversion of paper-based documents (compliance with the requirements of Government Decree 451/2016 (XII.19.) § 55-58 and ETSI TS 119 101)
  • Assessment of audited electronic communication equipment (based on the requirements of Chapter II of MNB Regulation 26/2020)
  • Evaluation of digital archiving systems in closed systems or with electronic signature (based on the requirements of ITM Decree 1/2018 (29.VI.2018) and ETSI TS 101 533-1)
  • Conformity assessment of systems providing electronic identification and trust services (taking into account the eIDAS Regulation and the related ETSI standards and the BM Regulation 24/2016).