The Anti-Malware Testing Standards Organization (AMTSO) has been very much on my mind recently, even though I'm no longer a Board member. In fact, I presented a paper – After AMTSO: a funny thing happened on the way to the forum – at the recent EICAR conference, discussing whether AMTSO really has enough popular credibility to achieve its aims, or at least to achieve more than it already has.
Don't get me wrong: I'm the last person to dismiss the considerable achievements of the organization in providing a repository of testing resources and guidelines documents, as well as generally advancing discussion on the need for and ways of achieving improvement of testing standards in general. I'm just not convinced that the organization can impose standards in its own right. To quote my own abstract:
However, it's clear that the organization has no magic wand and a serious credibility problem, so it isn't going to save the world (or the internet) all on its own. So where do we (the testing and anti-malware communities) go from here? Can we identify the other players in this arena and engage with them usefully and appropriately?
Yesterday, I returned from the latest AMTSO workshop in Munich, where the membership discussed at considerable length how it could bridge its own credibility gap. And the favored way of doing that seems to be by re-engineering the organization's internal structure in a way that looks more like a commercial enterprise (albeit run on a budget that at present would barely pay for a round of drinks at Google's Christmas party). The likely form that will take is an executive team still consisting mostly of volunteers, but with the welcome addition of a paid administrator. In addition, the organization is considering returning to one of its early goals of monitoring and documenting ongoing testing, though probably in a less contentious form than its earlier review analysis process.
Whatever it takes, I guess. The question remains whether vendors and testers can play nicely enough together to keep the group alive. Even if they do, I'm not detecting a real sense that the organization needs to go far beyond cooperation between those two highly-partial groups and a highly specialized academic sector before it can claim to be establishing genuine standards. It needs to engage with a whole range of other stakeholders to get past the (un)popular perception of AMTSO as a vendor cartel. A more efficient business model should make it more effective in some senses. But will it also make it harder for people to remember AMTSO ‘s non-profit status and intentions if it starts to look more like another hierarchical security company than a somewhat ramshackle aggregation of volunteers?