I AMTSO confused….

…not to mention exasperated, at the flurry of bad press that AMTSO (the Anti-Malware Testing Standards Organization) is suddenly receiving.

A few days ago, following an interesting blog by Kevin Townsend here to which I contributed some thoughts, I thought the time might be right for some healthy discussion about how the organization might engage better with the general user population, and used that topic as the basis for the first of a series of monthly articles I'm doing for Security Week. 

That seems academic now.

Apparently, depending on which article you read:

1. AMTSO is a self-serving group of antivirus vendors (cantankerous vendors, even) trying to impose retrograde standards unilaterally on testers. (Newsflash: testers and publishers are also members of AMTSO.)
2. AMTSO is a sinister cabal of vendors and testers and the organization should be user driven. I haven't yet worked out why. Apparently it's also a front for the WildList Organization, or something.
3. AMTSO should not generate guidelines or comment on anything.
4. One testing organization has the sole monopoly of truth in testing  All the others are only doing static testing or, even worse, WildList testing. Which is apparently what AMTSO is proposing. (Yep. All those papers and guidelines advocating dynamic analysis, whole product testing, sound network testing and so on are apparently just a front. What AMTSO really wants is for all testing to be based on 20-year-old boot sector viruses. That's a JOKE, folks…)

Somewhere in this welter of misinformation, well-meant but muddled thinking, and black propaganda, there are some issues that need clarifying. But there's too much confusion (I can't get no relief) to address it all at once, or all in one place. Watch this space for further information. And while you're waiting, you might want to check the documentation and other resources at the AMTSO web site to see what the organization really proposes and what it is really trying to achieve, however slow you may think its progress has been to date.

It's not all bad, though. I'm not sure Kurt Wismer will thank me for mentioning his name or his blog, since there's a chance that because I have, he'll now be targeted for the same attacks that I've been subjected to as an individual as well in my capacity as one of AMTSO's directors. Nonetheless, he's put up some relevant, objective and informed comments that deserve to be read by more people. I'm pretty sure he doesn't think AMTSO is perfect (neither do I!), but he does seem to have a pretty firm grip on reality.

By the way, if you'd like a less exasperated, more official reaction from AMTSO to some of the recent press, such a statement is quoted more or less in full on the AMTSO blog here.

David Harley CITP FBCS CISSP
Speaking for himself, not ESET or AMTSO