AMTSO: Raising Testing Standards

I just came got back from Oxford (that’s the one in the UK, by the way), where the Anti-Malware Testing Standards Organization held its latest two-day meeting. I’m not usually considered to be a glass-half full person, especially when it comes to issues around testing, but I’m feeling genuinely enthusiastic about the progress that was made. I do, as it happens, honestly believe that the anti-malware industry contains some very, very talented people, and a lot of them were at this meeting. However, we’re probably not best known for being diffident yes-persons with no opinions of our own.

I may have mentioned before that we’ve been working on two major documents (the first of many, I hope): one on “The Fundamental Principles of Testing” and one on “Best Practices for Dynamic Testing.” Both are topics of major importance in the world of anti-malware testing, and some of us have put in many hours of work and discussion in meetings and on mailing lists, inside and outside AMTSO. So I can’t begin to tell you what a pleasure it was to have the final versions of both documents unanimously approved on the last day of the conference (after a lot more discussion, some of it very late on Thursday night – hope you managed to get some sleep, Matt…).

While neither document is going to turn every bad tester into a good tester, or even give the aspiring tester all the knowledge he needs to start testing or certifying products competently, they do represent a major rite-of-passage for the anti-malware industry. Historically, we’ve been highly critical of what we’ve considered to be bad testing, but not so good at offering help to people genuinely interested in offering good testing. While there is good information on the subject available, this is a vital first step towards making available a comprehensive central, vendor-agnostic informational resource. And that has to be worth a few hearty cheers. But save some breath for the other resources that we started to work on in Oxford: there’s lots more to come!

David Harley 
Director of Malware Intelligence

Author David Harley, ESET

  • Thanx David, for both your enthusiastic post as well as your efforts on both documents. As slow as some people seem to think we are, I think getting these documents out a mere 6 months after our official founding (nine months after our first meeting, and 18 months after six companies sat down in a bar in Reykjavik) is pretty astounding. And that both documents were adopted unanimously is icing on the cake. I truly believe that AMTSO members are acting for the good of the industry and not for personal or company gain. It is better to lose a correctly conducted test than to win a poorly conducted one. We are not served by being deluded into thinking our products are better than they are, and our customers are not served by being told our products are worse than they are.

    We are, of course, by no means done. But we are well and truly started.

    Mark Kennedy, Symantec.

  • Thanks, Mark. I have to agree that AMTSO has done an amazing job herding all us cats. It’s not often I come out of a meeting feeling as positive as I did on my way home on Friday. After nearly twenty years in (or on the fringes of) this industry, it still cheers me to see how readily people who are fighting for marketing advantage can still work together for the common good.

Follow us

Copyright © 2017 ESET, All Rights Reserved.