Friday, August 6, 2010

Limits of Software Evaluation Assurance

Its very common to test applications for Software Quality Assurance but there is a Software Evaluation Assurance that defines the Software assurance level that needs a equivalent consideration. The levels are of importance to all QA engineers: These levels starts with:

EAL1 - Functionally tested - Its suffice to ensure the functionality is consistent as per documentation. that's what most QA Engineers test and verify.

at EAL2 - Structurally tested - In this the users require a low to moderate level of Independently assured security in the absence of complete development record. (e.g. legacy systems)

at EAL3 - Methodically tested and checked - users require moderate level of independently assured security and require thorough investigation of TOE and its development without substantial re-engineering.

at EAL 4 - Methodically designed, tested and reviewed - users require moderate to high level of independently assured security in conventional commodity TOE and prepared to incur security specific engineering costs. examples are Windows, Linux operating systems.

EAL 5 is Semi-formally designed and tested, EAL 6 is Semi-formally verified design and tested, EAL 7 is Formally verified design and tested. EAL 7 is used for devices such as file systems, USB device, graphics and networking cards.

so if a software is at EAL 4 then EAL 2 would also be required and it would be part of the development process. Are there any automation tools can validate beyond EAL 1? In EAL 7 one would assume that the testing model is mathematically proven and guaranteed to work. That is definitely an ideal case. In some systems tools development projects it may be possible to develop a custom test automation software to do the verification that guarantee the outcome.

No comments: