To qualify for Common Criteria EAL4+, the developer must provide detailed design documentation to show how the security claims documented are implemented and submit the product to a thorough vulnerability analysis. The vulnerability analysis requires both a detailed written analysis of how the product is designed to protect against identified vulnerabilities appropriate to the product’s intended use and extensive independent testing to ensure that the product lives up to its design claims.

Third party vulnerability tests are the only way to ensure that a security product is well-designed and configured, minimising the chance of system compromise through hidden vulnerabilities. Lower levels of Common Criteria certification, such as EAL2 require only developer vulnerability testing. The danger of relying on the developer to carry out these tests is that errors and assumptions made in design and development are likely to be repeated in testing, thereby increasing the risk of overlooking product weaknesses.


Implementing new solutions to protect the network infrastructure will always have hidden dangers if not considered carefully. With cost justification constantly in question, it is only reasonable to mitigate risks to a sensible level, but at least Common Criteria gives organisations reassurance that their decisions won’t be a case of out of the frying pan and into the fire.