Posted by: David Harley | June 6, 2013

AMTSO, testers, and vendors

Let’s get this out of the way: I have no current formal ties to AMTSO, and certainly don’t speak on its behalf (or on ESET’s, at any rate in articles on this blog). So maybe I can try to set the record straight on a couple of points that were raised in an article in Infosecurity Magazine’s newsfeed without being accused of being (or pretending to be) AMTSO’s mouthpiece. Again. Sigh…

  • Yes, its membership includes more vendors than testers, but not by design. The organization has worked hard over several years to attract more testers and keep the ones it has. In fact, given the fact that there are far fewer professional testing organizations than there are security companies, and that raising the standard of testing almost inevitably and invariably requires testers to work harder and expend more resources, it seems to me that a proportion of 19 (not 20) to 5 seems quite reasonable to me (assuming those figures are up to date), and the influence of testers (members and subscribers) has been far greater within the organization than those figures suggest.
  • €1250 isn’t a large sum for membership of a professional standards organization, but no, I wouldn’t pay that much as an individual. But if I wasn’t working in the security industry, I wouldn’t have much incentive to join as an individual. I do know people who were formerly in AMTSO who are not currently working for a tester or vendor: I can’t say whether they’d join as individuals if the fee was lower. There is a €25 subscription available: potentially a viable way of contributing to the debate at low cost, but with less influence on how the organization is run. I don’t know how many people have actually taken out a subscription, or how satisfied they’ve been that the money was well spent. But nor, I imagine, does Infosecurity Magazine. 😉
  • Ah yes, the AMTSO blog. I see that link has finally been removed from the AMTSO site According to the article, ‘The AMTSO blog, however, merely says “…this blog no longer has any association with AMTSO, and is no longer maintained.”’ Actually, it doesn’t ‘merely’ say that at all: that’s an accurate quote, but that page also contains pointers to this blog – where some of the articles I originally posted there can still be found – and to AMTSO itself, including the blog on the AMTSO forum page.

For the record: I will never again invest the amount of personal time and effort into AMTSO that I did for several years, before and during my time as a director of the organization, and I certainly don’t think it’s beyond criticism. However, I still believe in its intended purposes, as outlined in its charter; I believe that AMTSO’s presence in the security community has overall done more good than harm; I even believe that its future plans have the potential to further improve the anti-malware product testing scene, if vendors and testers alike can continue to resist (mostly) the temptation to put their own interests ahead of the customer’s. It’s a pity that the media don’t appreciate its actual achievements and future potential for further improving the testing landscape. It sometimes seems that it’s seen purely as a stick with which to beat the security industry. Let’s not forget that if AMTSO raises the standard of testing even a little bit, that helps people to make better buying decisions, and that makes them a little safer.

David Harley
Not speaking for anyone but himself.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.


%d bloggers like this: