© February 6, Novell Inc.
5
Congratulations
Your experimental report sounds a lot like a
Common Criteria evaluation

It may not be perfect, but it DOES provide an
Evidence Based Assessment of a product

And if it doesn't answer the questions you're asking -
¥Òare there buffer overflowsÓ, Òcan you tell what it's doingÓ, Òdoes it transmit your key in the SSL packet headersÓ, Òdoes it store your secrets in plain sightÓ
Then you're not looking in the right places, or
You need to bake your questions into the requirements