Security vendors should embrace those hunting bugs in their products

Security software is software too — and it will have flaws.

Last week, I was interviewed for the Risky Business podcast. I really enjoyed the experience, not just because I've long been a fan of the show, but also because we discussed a subject I really care about: the security of security products.

If you follow the security news, you will have noticed that several researchers (with Google's Tavis Ormandy most prominent among them) are currently hunting for vulnerabilities in anti-virus and other security products. After disclosing the vulnerabilities to the relevant vendors in a responsible manner, they write about their findings on Twitter and on various blogs.


More VB Conference papers and videos published

11 papers and 9 videos added to our website.

In the security industry, we're used to people saying sorry: "sorry we chose a default password of 12345678"; "sorry we didn't look after your personal data better"; "sorry we didn't discover this huge vulnerability earlier"; and so on.

In that context, my reason for apologising is far more mundane. There were some great papers and presentations given at our VB2014 conference in Seattle that we simply haven't yet got around to publishing.


Throwback Thursday: Peter-II - Three Questions of The Sphinx

This Throwback Thursday, VB heads back to 1993, when an ordinary memory-resident master boot sector virus spiced things up with a bit of pop trivia.

Over recent years we have become used to hearing about ransomware extorting money from victims by locking up their devices and demanding a ransom in order for access to the device to be restored. Back in 1993, however, before malware had truly become linked with monetary gain, there was a device hold-up of a different kind: know your pop trivia or face losing your data.


VB2015 paper: Effectively testing APT defences

Simon Edwards discusses how to test the potentially untestable.

Like the term or loathe it, APTs have given rise to a new generation of security products that protect against these more targeted and sometimes more advanced threats. Often, such products come with bold claims about how they are able to fend off such threats in ways that traditional security products can't.

At VB2015, Simon Edwards (Dennis Technology Labs) presented a paper, written together with Richard Ford (Florida Institute of Technology) and Gabor Szappanos (Sophos), on how to effectively test such technologies.



Fifteen full solutions and three DNS-based blacklists lined up on the test bench for this VBSpam test and all but one of the full solutions reached the performance level required to earn a VBSpam award. More impressively, eight of them achieved a VBSpam+ award. | Read more...


This month VB lab team put 14 business products and 30 consumer products to the test on Windows 8.1 Pro. The VB100 pass rate was decent, although not quite up to the perfect or near-perfect fields seen in a few recent tests. | Read more...

Date Event Location
Feb 15 - 18 M3AAWG 36th General Meeting San Francisco, CA, USA
Mar 14 - 18 TROOPERS16 Heidelberg, Germany
Mar 16 - 18 CanSecWest Vancouver, BC, Canada
June 09 Copenhagen Cybercrime Conference 2016 Copenhagen, Denmark
Oct 05 - 07 VB2016 Denver, CO, USA

VB Conference

VB2016 Denver, 5-7 Oct 2016: Covering the global threat landscape
The VB conference is a major highlight of the security calendar, with many of its regular attendees citing it as the IT security event of the year. VB2016 will take place in Denver, Colorado, USA.

Previous VB conference delegates said:

‘Organization of the conference was flawless. I really appreciate that the talks were kept strictly on time.’


virusbtn:A look at the cat-and-mouse game between adblockers and those products that block or bypass them, by @duckblog
Tue Feb 02 14:09:01

virusbtn:The good ransomware news: ten cases in which files could be decrypted
Tue Feb 02 13:42:00

virusbtn:Legitimate .js files compromised to inject iframes
Tue Feb 02 13:14:14

virusbtn:Remember the IEEE's Anti-Malware Support Service? It has now gone live
Tue Feb 02 12:16:58

Jobs Career Sidebar