One of the more interesting things to happen to me in the past few months - well, that I'm going to talk about in public - is that I was elected to the Board of Directors of AMTSO (The Anti-Malware Testing Standards Organization). Interesting and scary: the first couple of months have seen me at three face-to-face meetings (fortunately for me, two of them were one after the other at the same venue in the UK), and my conference calls and email volumes have definitely escalated.

But that's OK. If you've been following my blogs over the past 18 months or so, or seen any of my presentations on testing, you'll have noticed that I'm pretty enthusiastic about AMTSO and its aims: I believe that it's the best chance we have right now of closing the enormous gap between the unrealistic assumptions, expectations and methodologies adopted by so many testers, and the realities of the threatscape and the security technologies that this industry currently works with. I'm well aware that many people are cynical about the purity of intent of anti-malware companies, but there are some of us who believe that fairer testing would benefit the better security vendors as well as their customers.

Right now I'm trying to catch up with the papers that have been circulated following the last member's meeting in Budapest a few months ago, in preparation for the next meeting, which takes place in Prague next month (hard on the heels of next week's Virus Bulletin conference in Geneva).

 I expect a lot of exciting stuff to find its way onto the agenda: there are quite a few more papers on their way through the compiling/editing/approval process, some on such controversial topics as malware creation.

I also expect some lively discussion around the topics discussed at the strategy meeting at the end of August, where the Board of Directors and the Advisory Board. The Advisory Board is a group of respected individuals who are well acquainted with the malware field, but not aligned with the industry: as there are quite a few security vendors participating as members, the AB's impartial advice is invaluable in helping to correct any tendency to focus on the interests of the security and testing industries at the expense of the wider community.

There's been a lot of interest in the Review Analysis Board in recent months, and one of the topics likely to be discussed in depth is the possibility of streamlining that process and supplementing it with other measures of compliance with AMTSO testing principles. That may lead to some heated debate, but I think it's a necessary discussion: AMTSO compliance, whatever you (or I) may understand by that term, is something that a lot of people are anxious to see.

If you're affiliated with a company that's already a member, maybe I'll see you in Prague. If you're not, but you're going to be in Geneva for VB 2009, you may find Righard Zwienenberg's AMTSO  presentation on Thursday 24th of interest. Either way, i hope to see some of you at one event or the other, or both. I'm more than happy to talk about ESET, AMTSO, AVIEN or anything else. :-D Though not necessarily officially...

David Harley
Director of Malware Intelligence