> Are you suggesting that Common Criteria is using a metric to determine security level or simply that EAL4 (like one of the Windows variants has) or other is useful in this regard?

Keep in mind that EAL4+ is the level of assurance you have that they met the goals outlined in their Security Target (http://niap.nist.gov/cc-scheme/st/ST_VID4025-ST.pdf). Those goals are quite low when compared with the goals of Trusted Solaris (http://www.cesg.gov.uk/site/iacs/itsec/media/sectarg/TSolaris8_Issue3.1.pdf).

You can’t compare the assurance metric alone without considering what it is providing assurance of =).

Robert

Are you suggesting that Common Criteria is using a metric to determine security level or simply that EAL4 (like one of the Windows variants has) or other is useful in this regard?

We already have one – http://www.commoncriteriaportal.org/. Assurance is much a better measurement than the lagging indicator of vulnerability counts.

Using the vulnerabilty count data to measure how secure a product is reminds me of the villagers logic from Monty Pythons Holy Grail where they attempt to determine if the young lady is a witch – Re-read http://www.mwscomp.com/movies/grail/grail-05.htm and replace the test for being a witch with measuring insecure software. =)

Robert