Don’t feel comforted by an antivirus’s security certification

If you feel comforted by your antivirus vendor’s boast of having a certification from Verizon, then maybe you need to rethink that. Google Project Zero security researcher Tavis Ormandy says the methodology behind Verizon’s certification is “about as ridiculous as you would expect,” but vendors follow the gimpy guideline criteria (pdf), pay the fee to be certified and users tend to view the certification as some sign of excellence to be trusted.

Ormandy has been trying to clean up some of the “low hanging vulnerabilities” in high-profile security products. Most recently, he’s been focused on Comodo Antivirus. Ormandy pointed out a few of the “simple” security issues he identified, but it’s not just Comodo; he’s found vulnerabilities in many big name security products such as Malwarebytes, Avast, AVG, FireEye, TrendMicro and more.

Whatever you do, don’t ask Ormandy which antivirus should be used as he says that misses the point.

Taking Comodo as an example, Ormandy explained that the first vulnerabilities he found required no skill as point-and-click tools can do it. But when he used more advanced skills, he found “hundreds of critical memory corruption flaws” and “even more serious design flaws and logic errors.” And that was without having access to the source code and developer documentation.

Meanwhile, as Ormandy is “trying to clean up some of the low hanging fruit that is endangering billions of users worldwide,” Comodo is bragging about having received the “Excellence in Information Security Testing Award” by ICSA Labs which is an independent division of Verizon.

Comodo senior VP of engineering Egemen Tas said, “Customers across the globe continue to show great confidence in Comodo’s ability to protect their endpoints and networks from today’s security threats of both the known and unknown kind. This recognition by ISCA Labs is an important third-party validation of Comodo’s leading security capabilities and technologies.”

Yet Ormandy said, “These are the meaningless tests that antivirus vendors will actually scramble to pass. Perhaps the first step in improving the situation throughout the industry is making sure these certifications actually test something worthwhile.”

Ormandy doesn’t believe the antivirus industry will “make even a token effort” at resolving security issues “unless their hand is forced.” He tossed out a few suggestions such as integrating Microsoft’s Security Development Lifecycle (SDL) verification into the testing process and awarding bonus ranking points to vendors which implement sandboxing.

He concluded:

Something has to change soon. The next slammer or codered isn’t going to target IIS or MSSQL: the security of Microsoft products is in a different universe than it was a decade ago. All of the major security vendors are using ancient codebases with no awareness of modern security practices, it’s still hacking like it’s 1999.