Cybersecurity Evaluation

Cybersecurity evaluation services for hardware and software products, based on Common Criteria experience and structured vulnerability analysis.

What Cybersecurity Evaluation Means in Practice

Cybersecurity evaluation is a structured, technical assessment of product security, focused on identifying vulnerabilities and strengthening protection against potential threats.

At QIMA, cybersecurity evaluations apply a structured methodology informed by our experience gained through Common Criteria evaluations and are used for both software and hardware products.

The evaluation focuses on understanding how the target product works in practice by analysing documentation and, where applicable, source code before and during vulnerability assessment activities. This approach enables deeper identification of weaknesses and supports more effective remediation.

Security improvement is achieved progressively: first addressing the most critical issues, then strengthening the overall security of the system through iterative re‑assessment.

Our Cybersecurity Evaluation Methodology

QIMA applies a step‑by‑step evaluation methodology informed by experience gained through Common Criteria evaluations.

This typically includes:

  • Analysis of product documentation and architecture

  • Review of source code where applicable

  • Identification of potential flaws using Flaw Hypothesis methodology

  • Vulnerability assessment and penetration testing

  • Generalization of identified errors to uncover systemic weaknesses

  • Recommendations for remediation and corrective action

  • Re‑evaluation to confirm that issues have been addressed

This methodology allows vulnerabilities to be identified earlier, understood more clearly, and corrected more effectively.

Cybersecurity Evaluation Services We Provide

QIMA provides the following cybersecurity evaluation services for software and hardware products:

Vulnerability Assessment

Structured analysis of product operation to identify potential vulnerabilities using established evaluation methodologies.

Penetration Testing

Penetration testing that goes beyond ethical hacking by combining:

  • black‑box testing

  • grey‑box testing

  • white‑box testing

This is integrated with systematic evaluation techniques focused on real‑world implementation.

Hardening

Support in identifying and correcting common and complex security weaknesses, including:

  • input validation issues (e.g. SQL injection, XSS, RFI, LFI)

  • privilege and entitlement bypass

  • weak or incorrectly implemented cryptography

  • memory management issues (e.g. buffer overflows)

  • session management weaknesses

  • configuration‑related vulnerabilities

Security Audit

Comprehensive security audits covering:

  • organizational and technical security controls

  • behavioural and human‑factor risks

  • regulatory considerations

  • social engineering and awareness aspects

For mobile applications, evaluations can follow the OWASP Mobile Application Security Verification Standard (MASVS), based on:

  • MASVS‑L1 (Standard Security)

  • extended to MASVS‑L2 (Defense‑in‑Depth)

Security by Design

Support for integrating security into system and organizational design, including:

  • business continuity management (BCM) consulting

  • business continuity planning (BCP) and disaster recovery planning (DRP)

  • security testing design and management

  • user acceptance testing (UAT) support

  • site security screening

Secure Coding Training

Professional secure coding training for development teams, including:

  • Java

  • JavaScript

  • C / C++

  • C#

  • Python

Hardware Security Analysis

Hardware‑focused security analysis based on product schematics and documentation, including:

  • architecture and design review

  • evaluation of external interfaces (e.g. optical, Ethernet, serial)

  • evaluation of internal interfaces (e.g. JTAG, serial ports)

  • tamper detection and prevention mechanisms

QIMA has specific experience in smart metering hardware data security.

When Cybersecurity Evaluation Is Typically Used

Cybersecurity evaluation is commonly performed:

  • during product development

  • before market placement

  • when strengthening product security maturity

  • as part of a broader security assurance or improvement activity, including scenarios where higher‑assurance evaluation is planned

The duration of an evaluation depends on product complexity and assurance objectives. Simple penetration testing activities may take weeks, while complex vulnerability assessments may take months. Higher‑assurance evaluations can take longer, depending on documentation quality and identified deficiencies.

How QIMA Supports Cybersecurity Evaluation Projects

QIMA supports cybersecurity evaluation projects through:

  • experienced evaluation teams

  • structured evalution approaches

  • close collaboration with development and security teams

  • practical remediation guidance and re‑testing

The focus is on delivering actionable findings that help organizations progressively improve product security.

Resources

In addition to core services, QIMA provides resources to help organizations understand cybersecurity requirements, build internal capability, and stay informed as regulations and threats evolve.

These include:

  • Events including conference participation, where QIMA cybersecurity experts share insights through live sessions and on‑demand content

  • Training and workshops for development, security, and compliance teams

  • Downloads such as guides, infographics, and checklists supporting compliance and security improvement

  • Blogs providing updates on cybersecurity risks, regulatory developments, and best practices

  • Newsletters delivering insights and updates directly to subscribers

  • Frequently Asked Questions (FAQs) addressing common cybersecurity, evaluation, and certification topics

Talk to Our Cybersecurity Experts

If you need a structured cybersecurity evaluation for your hardware or software products, QIMA can support you with evaluation services informed by Common Criteria experience.

Contact us to discuss your requirements

FAQs

What can QIMA recommend if you need a hardware or software evaluation?

QIMA proposes a step‑by‑step approach to its clients during security evaluations, using a methodology based on experience gained through Common Criteria evaluations.

What is the advantage of an evaluation based on this methodology?

The essence of the methodology is to analyze the documentation in more depth and detail and, where applicable, the source code, followed by penetration testing. Based on the errors found, we perform a generalization of the errors, eliminate or correct them, and perform a re‑check.

The target security level can be reached on an increasing basis: first solving the most critical problems, then strengthening the security of the IT system gradually.

What cybersecurity evaluation services can QIMA offer?

  • Security by design

  • Secure coding training

  • Vulnerability assessment

  • Penetration testing

  • Hardening

  • Security audit

Are evaluations available for mobile applications?

For mobile applications, QIMA proposes to follow the OWASP Mobile Application Security Verification Standard. The evaluation process is based on the MASVS‑L1 Standard Security level and can be extended to the MASVS‑L2 Defense‑in‑Depth level.

How long does a hardware or software evaluation take?

It depends on the product being tested and several factors such as product complexity and assurance objectives.

A simple penetration testing task may take a few weeks, while a complex vulnerability assessment project can take several months. Higher‑assurance Common Criteria evaluations can take 6–12 months, depending on the quality of manufacturer documentation and the number of deficiencies identified during the evaluation.

See all cybersecurity FAQs