Verizon-affiliated certificates for anti-virus are “meaningless,” according to Google security expert Tavis Ormandy, who claims that the awards fail to recognize “low hanging fruit” flaws in AV products.
In a blog post last weekend, Ormandy criticized ICSA Labs, an independent division of Verizon, for rewarding Comodo’s anti-virus software its 2016 Excellence in Information Security Testing Award despite the fact that he had discovered vulnerabilities in the product.
Comodo’s senior vice president of engineering Egemen Tas said ICSA accreditation was “an important third-party validation of Comodo’s leading security capabilities and technologies.”
Ormandy on the other hand claimed that he was able to find “hundreds of critical memory corruption flaws” in the software when analyzing it. These flaws have all been fixed, but he said it’s evidence that more and more flaws in anti-virus products aren’t being caught in a timely fashion.
Ormandy points out that he’s not focusing on just Comodo as he has found several vulnerabilities in big name AV products including Kaspersky Lab, AVG, and Avast.
He added that ICSA’s methodology for testing AV products wasn’t rigorous enough. “These are the meaningless tests that antivirus vendors will actually scramble to pass. Perhaps the first step in improving the situation throughout the industry is making sure these certifications actually test something worthwhile,” he said.
“I’m trying to clean up some of the low hanging fruit that is endangering billions of users worldwide. I don’t think the antivirus industry is going to make even a token effort at resolving these issues unless their hand is forced.”
Along with Comodo, the organization awarded certificates to several other anti-virus and security companies including Palo Alto Networks, Imperva, and D-Link Huawei.
ICSA have yet to respond to a request for comment on Ormandy’s remarks.
Ormandy has made a habit out of publicly chastising security and anti-virus software makers for their mistakes and pushing for better practices.
I get asked constantly what av to use. You're missing the point; av creates more problems than it solves, and we're overdue an av slammer.
— Tavis Ormandy (@taviso) March 12, 2016
Last month he found a bug in Avast’s SafeZone browser that left passwords in danger. That same month he found a vulnerability in Malwarebytes that made users susceptible to man in the middle attacks while in December he discovered an AVG Chrome plug-in was potentially exposing the data of nine million users.