I’ve spent the last couple of days in Prague (never a real hardship) at the AMTSO (Anti-Malware Testing Standards Organization) conference. The subject of Testing is one that I, and many others in the industry, have been interested in for a long time. Indeed, my main contribution to the AVIEN Malware Defense Guide was a chapter discussing testing. The whole reason for AMTSO forming was to try to create some clarity around the increasingly complex issues of testing. It may seem to some – particularly those who may never have attended an event involving large numbers of people with (slightly or wildly) differing opinions – that the wheels of AMTSO grind very slowly. However, this is not the case, these are complex issues, and the important thing is to ensure that if a document is published, that it should meet the aims and principles of the organisation. To that end all documents must be fully discussed and formally voted upon by the membership. The meetings are a productive time where final adjustments to the documents that have been put together over the past months can be made, and these documents voted upon.
There are already signs that AMTSO is having a positive effect, many testers have joined in the effort – as clearly, bad testing also has a negative effect on their reputations, and many mentions of the group have been seen in the press and in security circles. I hope that the increased awareness will encourage people to get involved, and that the progress will continue. The conference was interesting for all, with some good discussion on controversial topics. Keep an eye out for a press release over the next couple of weeks, and the appearance of some news on the AMTSO site.
Anti-malware testing is something that really does affect anyone who has a computer, so it’s great to know that there is a group dedicated to promoting ethical practice and laying out guidelines for good testing that can showcase the abilities of modern products.
As a member of AMTSO (but not an official representative of it), I’m happy to say that I fully support the efforts, and while it may seem slow, and often progress does involve a level of complexity akin to herding cats, it’s a worthwhile effort, and it is to be hoped that it will continue to go from strength to strength
Andrew Lee CISSP