If you feel you safer because an antivirus vendor is certified by Verizon protector, it’s time to revise your assumptions. Google’s Tavis Ormandy claims that the methodology of the certification process “is about as ridiculous as you might expect.” Suppliers are the rickety directive criteria (PDF), pay a fee to obtain the certificate and users that then as a reliable mark
.
Holes found directly
Ormandy is doing a crusade against easy to find vulnerabilities in high-profile security products. So he took several times Comodo AV on the grain. He pointed to a number of simple issues that he noticed immediately, but the problem is not confined to Comodo. He found similar problems in products of Malwarebytes, Avast, AVG, FireEye, Trend Micro and more.
Ask Ormandy moreover not any antivirus product can or should take, because then you get the answer that the whole concept AV problems has:
I get asked Constantly av what to use. You’re missing the point; P Creates more problems than it solves, and we’re overdue an av slammer
-. Tavis Ormandy (@taviso) 12 March 2016
The Ormandy took no trouble to the find vulnerabilities, as simple tools they already notice. With the use of more advanced skills, he found hundreds of critical memory errors and even worse logic and design flaws. And that without having access to the source code and documentation developers.
Useless Tests
Meanwhile, while Ormandy errors in, for example, software Comodo with ease discovered Comodo creates about receiving the “Excellence in Information Security Testing Award from ICSA Labs, an independent division of Verizon. According to vice president Egemen Tas Comodo is the value recognition of Comodo’s security.
According to Ormandy are “useless tests for antivirus companies actually make the effort to succeed. Maybe it ensure that these tests actually something substantial testing the first step towards improvement. “
the 90-code
the researcher believes that the industry not even going to take a tentative step in that direction, unless they are forced to do. He has a suggestion for improving the software, such as the integration of Microsoft’s SDL in the testing process and the allocation of bonus points for suppliers who implement sandboxing.
“There has to change something. The next Slammer or CodeRed takes IIS or MSSQL not on the grain: the security of Microsoft software is very different from ten years ago, but use all the major security vendors have an ancient code base without an eye for modern security practices – it’s still hacking like it’s 1999 “.
Mrs. Smith – not her real name – is a programmer with specific interest in IT -privacy and security. She is a freelance writer.
No comments:
Post a Comment