If you feel comforted by your antivirus vendor\u2019s boast of having a certification from Verizon, then maybe you need to rethink that. Google Project Zero security researcher Tavis Ormandy says the methodology behind Verizon\u2019s certification is \u201cabout as ridiculous as you would expect,\u201d but vendors follow the gimpy guideline criteria (pdf), pay the fee to be certified and users tend to view the certification as some sign of excellence to be trusted.Ormandy has been trying to clean up some of the \u201clow hanging vulnerabilities\u201d in high-profile security products. Most recently, he\u2019s been focused on Comodo Antivirus. Ormandy pointed out a few of the \u201csimple\u201d security issues he identified, but it\u2019s not just Comodo; he\u2019s found vulnerabilities in many big name security products such as Malwarebytes, Avast, AVG, FireEye, TrendMicro and more.Whatever you do, don\u2019t ask Ormandy which antivirus should be used as he says that misses the point.Taking Comodo as an example, Ormandy explained that the first vulnerabilities he found required no skill as point-and-click tools can do it. But when he used more advanced skills, he found \u201chundreds of critical memory corruption flaws\u201d and \u201ceven more serious design flaws and logic errors.\u201d And that was without having access to the source code and developer documentation.Meanwhile, as Ormandy is \u201ctrying to clean up some of the low hanging fruit that is endangering billions of users worldwide,\u201d Comodo is bragging about having received the \u201cExcellence in Information Security Testing Award\u201d by ICSA Labs which is an independent division of Verizon.Comodo senior VP of engineering Egemen Tas said, \u201cCustomers across the globe continue to show great confidence in Comodo\u2019s ability to protect their endpoints and networks from today\u2019s security threats of both the known and unknown kind. This recognition by ISCA Labs is an important third-party validation of Comodo\u2019s leading security capabilities and technologies.\u201dYet Ormandy said, \u201cThese are the meaningless tests that antivirus vendors will actually scramble to pass. Perhaps the first step in improving the situation throughout the industry is making sure these certifications actually test something worthwhile.\u201dOrmandy doesn\u2019t believe the antivirus industry will \u201cmake even a token effort\u201d at resolving security issues \u201cunless their hand is forced.\u201d He tossed out a few suggestions such as integrating Microsoft\u2019s Security Development Lifecycle (SDL) verification into the testing process and awarding bonus ranking points to vendors which implement sandboxing.He concluded:Something has to change soon. The next slammer or codered isn\u2019t going to target IIS or MSSQL: the security of Microsoft products is in a different universe than it was a decade ago. All of the major security vendors are using ancient codebases with no awareness of modern security practices, it\u2019s still hacking like it\u2019s 1999.