Compliance Management, Network Security, Vulnerability Management

Researcher bashes cert programs for giving high marks to flawed AV programs


A new blog post by security researcher Tavis Ormandy chastised security software certification programs, claiming many if not all are “meaningless,” as antivirus products often receive high grades from evaluators despite having multiple low-hanging vulnerabilities.

To substantiate his claims, Ormandy recently evaluated an anti-virus program from Comodo Group and found numerous flaws including weak authentication, incorrect access control lists, “hundreds of critical memory corruption flaws” and “even more serious design laws and logic errors.”

And yet, Comodo announced on Mar. 1 that ICSA Labs, an independent division of Verizon, awarded the company an “Excellent in Information Security Testing” award following a certification process.

Although the blog post singled out Comodo, Ormandy was clear that the problem broadly affects the entire antivirus industry. “I don't think the antivirus industry is going to make even a token effort at resolving these issues unless their hand is forced,” Ormandy added.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.