A Quick Note on Common Criteria and Penetration Testing
There is a difference in scope and objectives between Common Criteria evaluation and penetration testing.
Common Criteria evaluation focuses primarly on ensuring that there are no exploitable vulnerabilities in the composite environment formed by the Product being evaluated together with the Physical, Procedureal, and Personnel countermeasures established by the System (or Site) Security Policy.
Penetration testing attempts to find ANY kind of security problem and focuses ONLY on the product being tested (regardless of any other aspects of the environment).
The difference in scope between Common Criteria and penetration testing often leads to misunderstanding and confusion. Each side has its "truth" but the other side "can't handle the truth". This has been the case for many years.
In particular, it is possible for a product to get a Common Criteria certificate even if it has multiple security faults, provided that the securely configured product in its securely configured environment has no exploitable vulnerabilities.
There are also the usual issues about the attacker wanting recognition & prestige, and the victim wanting damage limitation to preserve image & business.