Common Criteria evaluation – getting product security right