C099 Certification Report
Swingvy HR Hub, Payroll and Benefits Platform
v2.1.29
File name: ISCB-5-RPT-C099-CR-V1a
Version: v1a
Date of document: 24 August 2020
Document classification: PUBLIC
For general inquiry about us or our services,
please email: mycc@cybersecurity.my
PUBLIC
FINAL
C099 Certification Report ISCB-5-RPT-C099-CR-V1a
Page i of ix
PUBLIC
C099 Certification Report
Swingvy HR Hub, Payroll and Benefits Platform
v2.1.29
24 August 2020
ISCB Department
CyberSecurity Malaysia
Level 7, Tower 1,
Menara Cyber Axis, Jalan Impact,
63000 Cyberjaya, Selangor, Malaysia
Tel: +603 8800 7999 Fax: +603 8008 7000
http://www.cybersecurity.my
PUBLIC
FINAL
C099 Certification Report ISCB-5-RPT-C099-CR-V1a
Page ii of ix
PUBLIC
Document Authorisation
DOCUMENT TITLE: C099 Certification Report
DOCUMENT REFERENCE: ISCB-5-RPT-C099-CR-V1a
ISSUE: v1a
DATE: 24 August 2020
DISTRIBUTION: UNCONTROLLED COPY - FOR UNLIMITED USE AND
DISTRIBUTION
PUBLIC
FINAL
C099 Certification Report ISCB-5-RPT-C099-CR-V1a
Page iii of ix
PUBLIC
Copyright Statement
The copyright of this document, which may contain proprietary information, is the
property of CyberSecurity Malaysia.
The document shall be held in safe custody.
©CYBERSECURITY MALAYSIA, 2020
Registered office:
Level 7, Tower 1
Menara Cyber Axis
Jalan Impact
63000 Cyberjaya
Selangor Malaysia
Registered in Malaysia – Company Limited by Guarantee
Company No. 201601006881 (726630-U)
Printed in Malaysia
PUBLIC
FINAL
C099 Certification Report ISCB-5-RPT-C099-CR-V1a
Page iv of ix
PUBLIC
Foreword
The Malaysian Common Criteria Evaluation and Certification (MyCC) Scheme has been
established under the 9th
Malaysian Plan to increase Malaysia’s competitiveness in quality
assurance of information security based on the Common Criteria (CC) standard and to
build consumers’ confidence towards Malaysian information security products.
The MyCC Scheme is operated by CyberSecurity Malaysia and provides a model for licensed
Malaysian Security Evaluation Facilities (MySEFs) to conduct security evaluations of ICT
products, systems and protection profiles against internationally recognised standards.
The results of these evaluations are certified by the Malaysian Common Criteria
Certification Body (MyCB) Unit, a unit established within Information Security Certification
Body (ISCB) Department, CyberSecurity Malaysia.
By awarding a Common Criteria certificate, the MyCB asserts that the product complies
with the security requirements specified in the associated Security Target. A Security
Target is a requirements specification document that defines the scope of the evaluation
activities. The consumer of certified IT products should review the Security Target, in
addition to this certification report, in order to gain an understanding of any assumptions
made during the evaluation, the IT product's intended environment, its security
requirements, and the level of confidence (i.e., the evaluation assurance level) that the
product satisfies the security requirements.
This certification report is associated with the certificate of product evaluation dated 14
September 2020, and the Security Target (Ref [6]). The certification report, Certificate of
product evaluation and security target are posted on the MyCC Scheme Certified Product
Register (MyCPR) at www.cybersecurity.my/mycc and the Common Criteria Portal (the
official website of the Common Criteria Recognition Arrangement).
Reproduction of this report is authorised provided the report is reproduced in its entirety.
PUBLIC
FINAL
C099 Certification Report ISCB-5-RPT-C099-CR-V1a
Page v of ix
PUBLIC
Disclaimer
The Information Technology (IT) product identified in this certification report and its
associate certificate has been evaluated at an accredited and licensed evaluation facility
established under the Malaysian Common Criteria Evaluation and Certification (MyCC)
Scheme using the Common Methodology for IT Security Evaluation, version 3.1 revision 5
(Ref [3]), for conformance to the Common Criteria for IT Security Evaluation, version 3.1
revision 5 (Ref [2]). This certification report and its associated certificate apply only to the
specific version and release of the product in its evaluated configuration. The evaluation
has been conducted in accordance with the provisions of the MyCC Scheme and the
conclusions of the evaluation facility in the evaluation technical report are consistent with
the evidence adduced. This certification report and its associated certificate is not an
endorsement of the IT product by CyberSecurity Malaysia or by any other organisation that
recognises or gives effect to this certification report and its associated certificate, and no
warranty of the IT product by CyberSecurity Malaysia or by any other organisation that
recognises or gives effect to this certificate, is either expressed or implied.
PUBLIC
FINAL
C099 Certification Report ISCB-5-RPT-C099-CR-V1a
Page vi of ix
PUBLIC
Document Change Log
RELEASE DATE PAGES
AFFECTED
REMARKS/CHANGE REFERENCE
d1 24 August 2020 All Initial draft
V1 4 September 2020 All Final Release
V1a
14 September
2020
4
Removed the word Physical Boundaries in
Section 1.4.
PUBLIC
FINAL
C099 Certification Report ISCB-5-RPT-C099-CR-V1a
Page vii of ix
PUBLIC
Executive Summary
The Target of Evaluation (TOE) is Swingvy HR Hub, Payroll and Benefits Platform v2.1.29.
The TOE is a software as a Service (SaaS) whilst installed, configured and deployed in the
cloud platform services (PaaS). The TOE operates in Multi-Tenant Mode that provide
solutions for managing and operating Human Resource, Payroll and Benefits. TOE is
accessible via a web browser from mobile devices and PCs.
The scope of the evaluation is defined by the Security Target (Ref[6]) which identifies
assumptions made during the evaluation, the intended environment for the TOE, the
security functional requirements, and the evaluation assurance level at which the product
is intended to satisfy the security requirements. Prospective consumers are advised to
verify that their operating environment is consistent with the evaluated configuration, and
to give due consideration to the comments, observations and recommendations in this
certification report.
This report confirms the findings of the security evaluation of the TOE to the Common
Criteria (CC) Evaluation Assurance Level 2 (EAL2). This report confirms that the evaluation
was conducted in accordance with the relevant criteria and the requirements of the
Malaysia Common Criteria Evaluation and Certification (MyCC) Scheme (Ref [4]).
The evaluation was performed by CyberSecurity Malaysia MySEF (CSM MySEF) and the
evaluation was completed on 21 August 2020.
The Malaysia Common Criteria Certification Body (MyCB), as the MyCC Scheme Certification
Body, declares that the TOE evaluation meets all the Arrangements on the Recognition of
Common Criteria certificates and the product will be listed in the MyCC Scheme Certified
Products Register (MyCPR) at http://www.cybersecurity.my/mycc and the Common Criteria
portal (the official website of the Common Criteria Recognition Arrangement) at
http://www.commoncriteriaportal.org
It is the responsibility of the user to ensure that Swingvy HR Hub, Payroll and Benefits
Platform v2.1.29 meets their requirements. It is recommended that a potential user of the
TOE refer to the Security Target (Ref [6]) and this Certification Report prior to deciding
whether to purchase the product.
PUBLIC
FINAL
C099 Certification Report ISCB-5-RPT-C099-CR-V1a
Page viii of ix
PUBLIC
Table of Contents
Document Authorisation................................................................................. ii
Copyright Statement ....................................................................................... iii
Foreword............................................................................................................ iv
Disclaimer........................................................................................................... v
Document Change Log.................................................................................... vi
Executive Summary ........................................................................................ vii
Index of Tables................................................................................................. ix
Index of Figures ............................................................................................... ix
1 Target of Evaluation ..................................................................................... 1
1.1 TOE Description .............................................................................................1
1.2 TOE Identification ...............................................................................................3
1.3 Security Policy..................................................................................................4
1.4 TOE Architecture ..............................................................................................4
1.4.1 Logical Boundaries........................................................................4
1.4.2 Physical Boundaries......................................................................5
1.5 Clarification of Scope......................................................................................5
1.6 Assumptions...................................................................................................5
1.6.1 Environmental assumptions..............................................................6
1.7 Evaluated Configuration..................................................................................6
1.8 Delivery Procedures .......................................................................................7
1.8.1 TOE Delivery Procedures ................................................................................7
2 Evaluation.......................................................................................... 9
2.1 Evaluation Analysis Activities..........................................................................9
2.1.1 Life-cycle support................................................................................9
2.1.2 Development ........................................................................................9
2.1.3 Guidance documents.........................................................................10
2.1.4 IT Product Testing..............................................................................10
PUBLIC
FINAL
C099 Certification Report ISCB-5-RPT-C099-CR-V1a
Page ix of ix
PUBLIC
3 Result of the Evaluation................................................................14
3.1 Assurance Level Information.........................................................................14
3.2 Recommendation..........................................................................................15
Annex A References .......................................................................................16
A.1 References...................................................................................................16
A.2 Terminology................................................................................................16
A.2.1 Acronyms ....................................................................................................16
A.2.2 Glossary of Terms ......................................................................................17
Index of Tables
Table 1: Security Function........................................................................................................ 1
Table 2: TOE Identification....................................................................................................... 3
Table 3: Assumptions for the TOE Environment .................................................................... 6
Table 4: Independent Functional Test....................................................................................11
Table 5: List of Acronyms .......................................................................................................16
Table 6: Glossary of Terms .....................................................................................................17
Index of Figures
Figure 1 - TOE............................................................................................................................ 2
PUBLIC
FINAL
C099 Certification Report ISCB-5-RPT-C099-CR-V1a
Page 1 of 18
PUBLIC
1 Target of Evaluation
1.1 TOE Description
1 The Target of Evaluation (TOE) is Swingvy HR Hub, Payroll and Benefits Platform v2.1.29.
The TOE is a software as a Service (SaaS) whilst installed, configured and deployed in
the cloud platform services (PaaS). The TOE operates in Multi-Tenant Mode that provide
solutions for managing and operating Human Resource, Payroll and Benefits. TOE is
accessible via a web browser from mobile devices and PCs.
2 Below are the primary features of the TOE:
a) HR Information System (HRIS) - provides employee management, leave management
and employee talent management.
b) Payroll – automatically calculates all government required tax calculations and
provides automated payroll service to the users, specifically admins of companies.
c) Benefits store – allow admins to purchase benefits (such as group insurance) for
their employees.
3 The following table highlights the range of security functions implemented by the TOE:
Table 1: Security Function
Security Function Description
Access Control The TOE manages access control within each
organisation based on user IDs, user roles and access
control lists. Each ACL maps users and roles to the
operations that they are permitted to perform on the
object.
Identification &
Authentication
The TOE requires that each user is successfully
identified (user IDs) and authenticated (Minimum
password length of 8-characters with at least 1 capital
letter and 1 special or numeric character) before any
interaction with protected resources is permitted.
Security
Management
The TOE provides functions that allow management of
the TOE and its security functions. The TOE restricts
access to the management functions
based on the role of the user.
PUBLIC
FINAL
C099 Certification Report ISCB-5-RPT-C099-CR-V1a
Page 2 of 18
PUBLIC
4 The TOE type is a web-based application, in which the TOE is a SAAS designed to be
used for a web-based application environment. The TOE provides security functionality
such as access control, identification and security management.
5 A typical implementation of the TOE can be found in Figure 1 below, which identifies
the various components of the TOE architecture.
Figure 1 - TOE
PUBLIC
FINAL
C099 Certification Report ISCB-5-RPT-C099-CR-V1a
Page 3 of 18
PUBLIC
1.2 TOE Identification
6 The details of the TOE are identified in Table 2: TOE Identification below.
Table 2: TOE Identification
Evaluation Scheme
Malaysian Common Criteria Evaluation and Certification
(MyCC) Scheme
Project Identifier C099
TOE Name Swingvy HR Hub, Payroll and Benefits Platform
TOE Version v2.1.29
Security Target Title Swingvy HR Hub, Payroll and Benefits Platform v2.1.29
Security Target
Security Target Version V1.1
Security Target Date 21 July 2020
Assurance Level Evaluation Assurance Level 2
Criteria
Common Criteria for Information Technology Security
Evaluation, April 2017, Version 3.1, Revision 5 (Ref [2])
Methodology
Common Methodology for Information Technology
Security Evaluation, April 2017, Version 3.1, Revision 5
(Ref [3])
Protection Profile
Conformance
None
Common Criteria
Conformance
CC Part 2 Conformant
CC Part 3 Conformant
Package conformant to EAL 2
Sponsor
Swingvy Sdn Bhd
B1-2-1, Solaris Dutamas, No 1, Jalan Dutamas 1, 50480
W.P. Kuala Lumpur
Developer
Swingvy Sdn Bhd
B1-2-1, Solaris Dutamas, No 1, Jalan Dutamas 1, 50480
W.P. Kuala Lumpur
Evaluation Facility
CyberSecurity Malaysia MySEF (CSM MySEF)
Level 7, Tower 1
Menara Cyber Axis
Jalan Impact
63000 Cyberjaya
Selangor Malaysia
PUBLIC
FINAL
C099 Certification Report ISCB-5-RPT-C099-CR-V1a
Page 4 of 18
PUBLIC
1.3 Security Policy
7 There is no organisational security policy defined regarding the use of TOE.
1.4 TOE Architecture
8 The TOE consist of logical boundaries which are described in Section 1.6 of the Security
Target (Ref [6]).
1.4.1 Logical Boundaries
9 The logical boundary of the TOE is summarized below.
• Access Control
The access control function permits a user to access a protected resource only
if the user ID or user role has permission to perform the requested action on the
resource. Access rules are stored in Access Control Lists associated with each
object in the TSC. The TOE maintain role-based access control mechanisms to
ensure that the TOE security management functions are restricted to those who
have the privilege to access them. Admin user is the only user that has the ability
to assign privilege to each individual Authorised User.
• Identification & Authentication
All users are required to be identified and authenticated before any information
flows are permitted. At the login page, TOE users need to key in a valid username
and password in order to access the TOE. The acceptable minimum password
length is 8-characters with at least 1 capital letter and 1 special or numeric
character. The TOE checks the credentials presented by the user against the
authentication information stored in the database.
• Security Management
The TOE contains various management functions to ensure efficient and secure
management of the TOE. The TOE restricts access to the management functions
based on the role of the user. The TOE defines two security management roles:
Admin and Authorised User.
a) Admin user able to perform:
§ User Management: Add User, View/Edit User Profile and Terminate User
§ Group Management: Add/Edit/Delete Group, Edit User Permission Group,
Edit User Group
PUBLIC
FINAL
C099 Certification Report ISCB-5-RPT-C099-CR-V1a
Page 5 of 18
PUBLIC
§ Organisation: Add/Edit/Delete Job Title
§ Organisation: Add/Edit/Delete Department
§ Leave Management
§ Talent Management
§ Payroll Management
§ Benefits Store: Health Benefit Management
§ Edit Office and Time zone setting
§ Change password for own account
b) Authorised User able to perform:
§ User Management: View/Edit User Profile
§ Leave Management
§ Change password for own account
1.4.2 Physical Boundaries
10 Physical scope is not applicable for this TOE.
1.5 Clarification of Scope
11 The TOE is designed to be suitable for use in accordance with user guidance that is
supplied with the product.
12 Section 1.4 of this document describes the scope of the evaluation, which is limited to
those claims made in the Security Target (Ref [6]).
13 Potential consumers of the TOE are advised that some functions and services of the
overall product have not have been evaluated as part of this evaluation. Potential
consumers of the TOE should carefully consider their requirements for using functions
and services outside of the evaluated configuration.
1.6 Assumptions
14 This section summarises the security aspects of the environment/configuration in which
the product is intended to operate. Consumers should understand the cloud
PUBLIC
FINAL
C099 Certification Report ISCB-5-RPT-C099-CR-V1a
Page 6 of 18
PUBLIC
environment (PaaS) and requirements for secure operation of the TOE as defined in the
Security Target (Ref [6]).
1.6.1 Environmental assumptions
15 Assumptions for the TOE environment as described in the Security Target (Ref [6]):
Table 3: Assumptions for the TOE Environment
Environment Statement
A.NOEVIL It is assumed that the person who manages the TOE is not
hostile and is competent.
A.NOTRST The TOE can only be accessed by authorized users.
A.COMM_PROTECT The IT environment will provide a secure channel so that all
potentially valuable information (including credentials and
enterprise data) is protected between the user and
application server.
A.CLOUD The cloud environment will provide a load balancing, web
application firewall (WAF) and network traffic filters (e.g.
access control lists (ACL)) services in order to prevent the
attacker from performing any malicious activity against the
TOE and to prevent application failure.
1.7 Evaluated Configuration
16 The TOE is delivered to the users in its operational state (SaaS) and TOE configuration
is not required.
PUBLIC
FINAL
C099 Certification Report ISCB-5-RPT-C099-CR-V1a
Page 7 of 18
PUBLIC
1.8 Delivery Procedures
17 The evaluators examined the delivery documentation and determined that it describes
all procedures that are necessary to maintain security when distributing versions of the
TOE or parts of it to the consumer.
18 The evaluators also examined the aspects of the delivery process and determined that
the delivery procedures are used.
1.8.1 TOE Delivery Procedures
19 The delivery of the TOE from the development and build environment to the production
server goes through the following phases:
a) Information Gathering: Swingvy will gather requirements from the following 2
sources; Customers’ feedback / request and research by Swingvy internal product
business owners. Once the requirements are listed, product business owners,
designers and developers will have an internal meeting and the designers will finalize
the functional designs.
b) Development and build: The development and build process are controlled within
Swingvy’s development environment. Designers and developers will collaborate to
build or enhance products to meet the requirements.
c) Released: A specific set of procedures are followed before a new version of the TOE
or any key component can be released, these procedures include the following:
i. A pre-release meeting will be held to determine all relevant documents are in
place.
ii. The pre-release meeting will also determine the release version of the
Applications.
iii. The release date will be established.
iv. Codes are migrated to the build server, which resides in the cloud infrastructure
through secured connections (SSL).
v. Test build of the application is deployed to the protected environment and go
through QA process.
vi. Production build of the application is compiled and packaged in the build server.
The application is compiled and packaged in the build server.
PUBLIC
FINAL
C099 Certification Report ISCB-5-RPT-C099-CR-V1a
Page 8 of 18
PUBLIC
vii. The release version will be then reflected correctly into the corresponding
documents, ie, Modules/Bug Fix tracking, Process Flow Diagram and Data Flow
Diagram.
viii. All documents to be submitted for approval by respective Managers.
ix. Notification will be sent out to respective Clients to notify the blackout period
prior to Release.
d) Delivery and acceptance: Once the new version of the TOE or key application
component is released it is verified by the developers by checking the version of the
TOE and checking the version with the Release logs. Only after a successful verification
will the TOE be accepted and be put onto production server for use. In order for the
TOE users to access the TOE, TOE users need to browse to https://www.swingvy.com
and register for an account. At the main page of the website, TOE users can click on
the ‘Get Started’ button and fill in all the necessary information such as Full Name,
Company Name, Email Address, Password, Confirm Password, Business Industry,
Number of employees, Country and State and click on the ‘Create Account’ button.
The acceptable minimum password length is 8-characters with at least 1 capital letter
and 1 special or numeric character. After the registration process, TOE users will
receive an email (the contents of the email are Intro Video and Onboarding Guide) and
able to start using the TOE.
e) Product technical support: TOE users will contact Swingvy’s Customer Success (CS)
team via email (support@swingvy.com) or browse to TOE’s Help Center
(https://help.swingvy.com/en/)when they have any issues in operating the TOE.
However, if the issue involves technical issues (such as data issue) that can’t be resolve
via email, then the CS team will hand over the issue to a corresponding product's
developers for further investigation.
f) User Registration: TOE users will be able to register and start using the TOE by
browsing to https://secure.swingvy.com/#/register. To get started, TOE users need to
fill in all the particulars and click on ‘Create Account’ button. The communication
between the TOE and server is protected by HTTPS.
PUBLIC
FINAL
C099 Certification Report ISCB-5-RPT-C099-CR-V1a
Page 9 of 18
PUBLIC
2 Evaluation
20 The evaluation was conducted in accordance with the requirements of the Common
Criteria, version 3.1 Revision 5 (Ref [2]) and the Common Methodology for IT Security
Evaluation (CEM), version 3.1 Revision 5 (Ref [3]). The evaluation was conducted at
Evaluation Assurance Level 2. The evaluation was performed conformant to the MyCC
Scheme Requirement (MyCC_REQ) (Ref [4]) and ISCB Evaluation Facility Manual
(ISCB_EFM) (Ref [5]).
2.1 Evaluation Analysis Activities
21 The evaluation activities involved a structured evaluation of the TOE, including the
following components:
2.1.1 Life-cycle support
22 An analysis of the TOE configuration management system and associated
documentation was performed. The evaluators found that the configuration items were
clearly and uniquely labelled, and that the access control measures as described in the
configuration management documentation are effective in preventing unauthorised
access to the configuration items. The developer’s configuration management system
was evaluated, and it was found to be consistent with the provided evidence.
23 The evaluators examined the delivery documentation and determined that it described
all of the procedures required to maintain the integrity of the TOE during distribution
to the consumer.
2.1.2 Development
24 The evaluators analyzed the TOE functional specification; they determined that the
design completely and accurately describes the TOE security functionality interfaces
(TSFIs), and how the TOE security function (TSF) implements the security functional
requirements (SFRs).
25 The evaluators examined the TOE design specification; they determined that the
structure of the entire TOE is described in terms of subsystems. They also determined
that, it provides a complete, accurate, and high-level description of the SFR-enforcing
behavior of the SFR-enforcing subsystems.
PUBLIC
FINAL
C099 Certification Report ISCB-5-RPT-C099-CR-V1a
Page 10 of 18
PUBLIC
26 The evaluators examined the TOE security architecture description; they determined
that the information provided in the evidence is presented at a level of detail
commensurate with the descriptions of the SFR-enforcing abstractions contained in the
functional specification and TOE design.
27 At the end, the evaluators confirmed that all the requirements for this class were fulfilled
and passed.
2.1.3 Guidance documents
28 The evaluators examined the TOE operational user guidance, and determined that it
sufficiently and unambiguously described how to securely transform the TOE into its
evaluated configuration, and how to use and administer the product in order to fulfil
the security objectives for the operational environment. The evaluators examined and
tested the operational guidance, and determined that they were complete and
sufficiently detailed to result in a secure configuration.
29 The evaluators confirmed that the TOE guidance was fulfilled all the requirements and
passed for this class.
2.1.4 IT Product Testing
30 Testing at EAL 2 consists of assessing developer tests, performing independent
functional test, and conducting penetration tests. The TOE testing was conducted by
CyberSecurity Malaysia MySEF (CSM MySEF). The detailed testing activities, including
configurations, procedures, test cases, expected results and actual results are
documented in a separate Test Plan Report.
2.1.4.1 Assessment of Developer Tests
31 The evaluators verified that the developer has met their testing responsibilities by
repeating some developer test, as documented in the Evaluation Technical Report (Ref
Error! Reference source not found.) (not a public document because it contains
information proprietary to the developer and/or the evaluator). The results of the
evaluators’ tests are consistent with the developers’ test results defined in their
evaluation evidences submitted.
2.1.4.2 Independent Functional Testing
32 At EAL 2, independent functional testing is the evaluation conducted by evaluators
based on the information gathered by examining design and guidance documentation,
PUBLIC
FINAL
C099 Certification Report ISCB-5-RPT-C099-CR-V1a
Page 11 of 18
PUBLIC
examining developer’s test documentation, executing a subset of the developer’s test
plan, and creating test cases that are independent of the developer’s tests.
33 All testing was planned and documented to a sufficient level of detail to allow
repeatability of the testing procedures and results. The results of the independent
functional tests were recorded by the evaluators and are consistent with the expected
test results in the test documentation.
Table 4: Independent Functional Test
Test Title
Description
Security
Function
Results
Test Group A: Administration
A1. Manage group (add, edit,
delete)
A2. Manage organization
A3. Manage user (add, view,
edit, terminate)
A4. Manage user profile (view,
edit)
A5. Manage leave (admin)
A6. Manage leave (user)
A7. Manage talent
A8. Manage payroll
A9. Manage benefit store
A10. Edit office and time zone
This test group
comprises a series of
test cases on Security
Management and
Access Control which
are; manage group,
manage organisation,
manage user, manage
leave, manage talent,
manage payroll,
manage benefit store,
and manage office and
time zone.
FDP_ACC.1
FDP_ACF.1
FIA_ATD.1
FMT_MSA.1
FMT_MSA.3
FMT_MTD.1
FMT_SMF.1
FMT_SMR.1
FPT_STM.1
Passed.
PUBLIC
FINAL
C099 Certification Report ISCB-5-RPT-C099-CR-V1a
Page 12 of 18
PUBLIC
Test Title
Description
Security
Function
Results
Test Group B: Identification
& Authentication
B1. Login using correct
credential
B2. Login using wrong
credential
B3. User idle
B4. Change password
B5. Activate account
This test group
comprises a series of
test cases on
identification and
authentication, re-login
after idle, change
password and account
activation.
FIA_UAU.2,
FIA_UID.2
FIA_UAU.6
FIA_UAU.1,
FIA_SOS.1,
FMT_MTD.1,
FDP_ACC.1a,
FDP_ACC.1b,
Passed.
34 All testing performed by evaluators produced the expected results and as such the TOE
behaved as expected.
2.1.4.3 Vulnerability Analysis
35 The evaluators performed a vulnerability analysis of the TOE in order to identify
potential vulnerabilities in the TOE. This vulnerability analysis considered public domain
sources and an analysis of guidance documentation, functional specification, TOE
design, and security architecture description.
36 From the vulnerability analysis, the evaluators conducted penetration testing to
determine that the TOE is resistant to attack performed by an attacker possessing a
basic attack potential. The following factors have been taken into consideration during
penetration tests:
a) Time taken to identify and exploit (elapsed time);
b) Specialist technical expertise required (specialised expertise);
c) Knowledge of the TOE design and operation (knowledge of the TOE);
d) Window of opportunity; and
e) IT hardware/software or other equipment required for exploitation
2.1.4.4 Vulnerability testing
37 The penetration tests focused on:
a) Injection
PUBLIC
FINAL
C099 Certification Report ISCB-5-RPT-C099-CR-V1a
Page 13 of 18
PUBLIC
b) Broken Authentication
c) Cross Site Scripting (XSS)
d) Broken Access Control
e) Sensitive Data Exposure
f) Insufficient Logging and Monitoring
g) Security Misconfiguration
h) Insecure Deserialization
38 The result of the penetration testing noted that there is no residual vulnerability found.
However, it is important to ensure that the TOE is use only in its evaluated configuration
and in secure environment as specified in the Security Target (Ref [6]).
2.1.4.5 Testing Results
39 Tests conducted for the TOE produced the expected results and demonstrated that the
product behaved as specified in its Security Target and its functional specification.
Therefore, the certifiers confirmed that all the test conducted were PASSED as expected.
PUBLIC
FINAL
C099 Certification Report ISCB-5-RPT-C099-CR-V1a
Page 14 of 18
PUBLIC
3 Result of the Evaluation
40 After due consideration during the oversight of the execution of the evaluation by the
certifiers and of the Evaluation Technical Report (Ref [7]), the Malaysian Common
Criteria Certification Body certifies the evaluation of Swingvy HR Hub, Payroll and
Benefits Platform v2.1.29 which is performed by CyberSecurity Malaysia MySEF (CSM
MySEF).
41 CyberSecurity Malaysia MySEF (CSM MySEF) found that Swingvy HR Hub, Payroll and
Benefits Platform v2.1.29 upholds the claims made in the Security Target (Ref [6]) and
supporting documentations, and has met the requirements of the Common Criteria (CC)
Evaluation Assurance Level 2.
42 Certification is not a guarantee that a TOE is completely free of exploitable
vulnerabilities. There will remain a small level of risk that exploitable vulnerabilities
remain undiscovered in its claimed security functionality. The risk is reduced as the
certified level of assurance increases for the TOE.
3.1 Assurance Level Information
43 EAL 2 provides assurance by a full security target and analysis of the SFRs in that Security
Target, using functional and interface specifications, guidance documentation and a
description of the design of the TOE and the implementation to understand the security
behaviours.
44 The analysis is supported by independent testing of the TSF, evidence of developer
testing based on the functional specification, selective independent confirmation of the
developer test results, and a vulnerability analysis (based upon the functional
specification, TOE design, security architecture description and guidance evidence
provided) demonstrating resistance to penetration attackers with a basic attack
potential.
45 EAL 2 also provides assurance through use of a configuration management system and
evidence of secure delivery procedures.
PUBLIC
FINAL
C099 Certification Report ISCB-5-RPT-C099-CR-V1a
Page 15 of 18
PUBLIC
3.2 Recommendation
46 The Malaysian Certification Body (MyCB) is strongly recommended that:
a) Developer is recommended to ensure that all functionality that exposes information
related to back-end test, demo, or staging environments should not be included in
a production build.
b) Developer is recommended to keep on updating the TOE user guide and relevant
documentations based on updated features of the TOE.
c) Developer is recommended to provide a good support and information updates to
all client/consumer on the TOE especially on the security and critical updates related
to the TOE security features and its supporting software running in the same
environment.
PUBLIC
FINAL
C099 Certification Report ISCB-5-RPT-C099-CR-V1a
Page 16 of 18
PUBLIC
Annex A References
A.1 References
[1] Arrangement on the recognition of Common Criteria Certificates in the field of
Information Technology Security, July, 2014.
[2] The Common Criteria for Information Technology Security Evaluation, Version 3.1,
Revision 5, April 2017.
[3] The Common Methodology for Information Technology Security Evaluation, Version
3.1, Revision 5, April 2017.
[4] MyCC Scheme Requirement (MYCC_REQ), v1, CyberSecurity Malaysia, December 2019.
[5] ISCB Evaluation Facility Manual (ISCB_EFM), v2a, August 2020.
[6] Swingvy HR Hub, Payroll and Benefits Platform Security Target, Version 2.1.29, 21 July
2020.
[7] Evaluation Technical Report, Version 1, 19 August 2020.
A.2 Terminology
A.2.1 Acronyms
Table 5: List of Acronyms
Acronym Expanded Term
CB Certification Body
CC Common Criteria (ISO/IEC15408)
CEM Common Evaluation Methodology (ISO/IEC 18045)
CCRA Common Criteria Recognition Arrangement
IEC International Electrotechnical Commission
ISO International Organisation for Standardization
ISCB Information Security Certification Body
MyCB Malaysian Common Criteria Certification Body
PUBLIC
FINAL
C099 Certification Report ISCB-5-RPT-C099-CR-V1a
Page 17 of 18
PUBLIC
Acronym Expanded Term
MyCC Malaysian Common Criteria Evaluation and Certification
Scheme
MyCPR MyCC Scheme Certified Products Register
MySEF Malaysian Security Evaluation Facility
PP Protection Profile
ST Security Target
TOE Target of Evaluation
A.2.2 Glossary of Terms
Table 6: Glossary of Terms
Term Definition and Source
CC International
Interpretation
An interpretation of the CC or CEM issued by the CCMB that
is applicable to all CCRA participants.
Certificate The official representation from the CB of the certification of
a specific version of a product to the Common Criteria.
Certification Body An organisation responsible for carrying out certification
and for overseeing the day-today operation of an Evaluation
and Certification Scheme. Source CCRA
Consumer The organisation that uses the certified product within their
infrastructure.
Developer The organisation that develops the product submitted for CC
evaluation and certification.
Evaluation The assessment of an IT product, IT system, or any other
valid target as defined by the scheme, proposed by an
applicant against the standards covered by the scope defined
in its application against the certification criteria specified in
the rules of the scheme. Source CCRA and MS-ISO/IEC Guide
65
PUBLIC
FINAL
C099 Certification Report ISCB-5-RPT-C099-CR-V1a
Page 18 of 18
PUBLIC
Term Definition and Source
Evaluation and Certification
Scheme
The systematic organisation of the functions of evaluation
and certification under the authority of a certification body
in order to ensure that high standards of competence and
impartiality are maintained and that consistency is achieved.
Source CCRA.
Interpretation Expert technical judgement, when required, regarding the
meaning or method of application of any technical aspect of
the criteria or the methodology. An interpretation may be
either a national interpretation or a CC international
interpretation.
Certifier The certifier responsible for managing a specific certification
task.
Evaluator The evaluator responsible for managing the technical aspects
of a specific evaluation task.
Maintenance Certificate The update of a Common Criteria certificate to reflect a
specific version of a product that has been maintained under
the MyCC Scheme.
National Interpretation An interpretation of the CC, CEM or MyCC Scheme rules that
is applicable within the MyCC Scheme only.
Security Evaluation Facility An organisation (or business unit of an organisation) that
conducts ICT security evaluation of products and systems
using the CC and CEM in accordance with Evaluation and
Certification Scheme policy
Sponsor The organisation that submits a product for evaluation and
certification under the MyCC Scheme. The sponsor may also
be the developer.
--- END OF DOCUMENT ---