I may have mentioned from time to time that ESET is a strong supporter of AMTSO (the Anti-Malware Testing Standards Organization), an international organization that promotes improved methodologies for testing security products.
Last week we held an AMTSO workshop in Prague. While there was some hard discussion around some topics that I'll come back to in a future blog, one of the positive outcomes, as announced officially today, is that AMTSO's members have approved a document that offers guidelines to vendors on ways in which they can make it easier to test products accurately.
The document "AMTSO Guidelines on Facilitating Testability” was initiated at the suggestion of testers and developed jointly by testers and vendors (actually, I was in the original group that worked on it).
It suggests that vendors need to look at areas such as improving the details held within product logs and providing support for more automation within testing, including closer communications to keep testers up to date with product changes. Automation is a vital tool for enabling tests that are executed on a larger scale, but when a number of vendors recently altered their methods for displaying prompts, an extensive test had to be re-engineered mid-stream to accommodate the changes.
The new paper is the latest in a succession of Guidelines and Best Practices documents already published here. The membership also agreed to expand the range of documentation the organization produces to include more consumer-friendly, educational material, and introduced changes to its voting procedure to ensure that documents cannot be approved by the membership unless a supermajority of testers agree that the content is up to standard. This last measure is designed to avoid any possibility of bias in favour of any one group within the organization.
More information in the press release available here.
David Harley CITP FBCS CISSP
Small Blue-Green World
ESET Senior Research Fellow
Author David Harley, We Live Security