SC Magazine on the AMTSO debate
Well, I see Dan Raywood of Secure Computing magazine has entered the discussions on AMTSO (see here); and has included a link to the article where I allow AMTSO members to speak freely, but not one to my critical article. I would have been happier if he had acknowledged the connection (past or present) between SC and West Coast Labs (a member of AMTSO). Not doing so does nothing to minimize concerns.
Anyway, the article gives David Harley (of ESET and AMTSO) a pretty free hand in describing and answering some of the recent criticisms of AMTSO.
He claimed that he would not have made an investment of time and energy if he did not believe that there is a need for major improvements in testing and the public understanding of testing.
And of course he’s right. My concern is not with the intention of AMTSO but with the structure of AMTSO. Where is the voice of the user?
He highlighted three problems – firstly while AMTSO is not a profit-making organisation, the subscription fee is fairly hefty.
Then reduce it. ‘Costs’ is not an adequate reason. If you look at the membership list of AMTSO, it is the companies not the individuals that are listed. And the response to negative criticism put out in a co-ordinated reply was done on company not private blogs. So the AV companies are involved. Remember the ash cloud flying problems? Sophos had about 60 staff caught up in Eastern Europe at the time. Their response? To hire a rather large private jet to get people home. The AV companies have the money to solve this – but they’re trying to appear at arm’s length. Frankly, it doesn’t wash. So where is the voice of the user?
That gives rise to another issue. Since we all have full-time jobs, we can’t give AMTSO the time and attention some of us would like to…
Another non-wash. If AMTSO members haven’t got the time to do it right, don’t do it at all. And like I said, it’s the companies that are listed as members, not the individuals.
The second problem is that the group includes security vendors, as well as testers and product certification agencies. Harley admitted that while mainstream vendors and testers do not necessarily see that as a problem, most people do not see it that way, rather they see it as the foxes guarding the hen house.
Precisely so. But the answer is simple. Get some users into AMTSO.
So how could standards be raised in a more general sense? Harley said that this would be by improving the quality and availability of information about tests and testing, and by making testers more accountable for the accuracy and quality of their testing.
I have no problem with this. In fact I have no problem with AMTSO, and have great respect for David Harley personally. What AMTSO says it is doing is a very good thing, and I think it is making a fair job of it. But the fact remains that without input from the users of AV products it cannot be taken seriously. If this means that the AV companies have to come off the fence, admit their involvement and put some serious money into the organisation, then so be it. But it must recruit from the users of AV products.