I was interviewed yesterday by Fred Donovan, following up on the paper on AMTSO I presented at EICAR earlier this month. I may be prejudiced, but I think he's summarized my current thoughts on the topic pretty well in the article, though it isn't my recommendation that the existing guidelines be reviewed independently: it was one of the suggestions that came out of the last workshops. Not that I'm against it, either: it might be one way of giving them more credibility, but I'm not sure it would transform them from guidelines to standards.
The Infosecurity Magazine article is here: AMTSO has credibility gap for anti-virus testing standards
Whether AMTSO's new executive team will agree, is another question. I look forward to seeing how that initiative pans out.
But for myself, I continue to consider it essential for AMTSO – or an organization including or replacing it – to have better credibility than it does right now: if this initiative fails, testing is, in my eyes, close to useless because there will be no impartial authority to hold testers to account for the accuracy of their conclusions, and in the long run that will hurt their credibility. Hat tip to @imaguid for forcing me to crystallize that thought, unpalatable though it is.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow
Author David Harley, We Live Security