You should look into sections that cover test activity in the CEM.
(5.8, 6.8, 7.9, 8.9)

For EAL4 this would be the following.
8.9.2 Evaluation of Coverage (ATE_COV.2)
8.9.3 Evaluation of Depth (ATE_DPT.1)
8.9.4 Evaluation of Functional tests (ATE_FUN.1)
8.9.5 Evaluation of Independent testing (ATE_IND.2)

The evaluation of the test relys on the developer test documentation
(test plan, test procedure, expected results...which is not disclosed).
It is rather a matter of proving that the Target Of Evaluation (TOE)
adequately protects the Asset.

I would not want to spend US$1,000,000,000,000,000,000 to
protect my wallet (which has about $20 in it right now).

On the other hand I hope the US government spends whatever
is needed to protect the IT system for a nuclear missile
launch system.

So, it should suffice to prove that the security functions
can not be circumvented by an threat agent described in the ST.
__________________________________
Do You Yahoo!?
Upgrade Your Life
http://bb.yahoo.co.jp/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Rule #1 of security: It's never perfect.

Rule #2 of security: It's stupid to spend more effort on security than you
need to.

Rule #3 of security: Good security features raise the attacker's cost faster
than they raise your cost. Bad security features are the opposite.

Rule #4 of security: The "right security" is that set of features which raises
the attacker's cost to equal the value of the target, while having the lowest
total sum cost to you.

Almost all bank vaults have security functions (big lockable doors, solid walls,
and so on). The fact that they are still circumventable doesn't mean they're
useless. If the bank has (for instance) an average of $150K in the vault at
a given time, they don't need perfect security - they only need enough security
so it costs an attacker at least $150K to break it. Yes - there's probably some
psycho asshole bank robber who will attack the bank *anyhow*, even if it costs
him $250K and he ends up $100K in the hole. Since it's going to cost you
a lot *more* to stop the $250K attack, your best bet at that point is to
quit improving the security any further, and just shell out the $5K/year in
insurance premiums to cover the bank's losses.. ;) (This also explains why
major branches that may have $3M in cash have lots more sophisticated vaults
than tiny branches, which tend to the wimpier vaults...)

Why is the credit card system basically insecure? Because the banks have
figured out that if they spend $X, the fraud rate will be 3%, but to push it down
to 1% would cost a LOT more $X. What maximizes their return seems to be
spending enough on security to keep the fraud rate around 2%.

Schneier's "Secrets and Lies" has a lot more good stuff to say about this...