Who belongs to the Common Computing Security Standards Forum?

The CCSS Forum is a voluntary organization of security software vendors, operating system providers, and Internet browser software creators, working together to mitigate the risk of malware and protect consumers worldwide.

How will the CCSS Forum do that?

The CCSS Forum has three short-term goals:

  • Creating a mechanism for addressing issues and concerns with Microsoft's patch management system,
  • Establishing a method of communicating with certification authorities with respect to code signing certificates, and
  • Creating a compatibility matrix of the various software vendors.

The longer-term goals of the forum are to:

  • Develop standards in detecting and identifying malware
  • Provide an avenue for easy communication about industry problems for vendors
  • Point of contact with other industries that are affecting the current state of the industry

How can I get involved?

Join the forum. If your company or organization develops anti-virus software, operating systems or Internet browsers, and if you want to commit to eradicating malware, contact the forum to join. Meetings are by telephone twice a month.

How can I get involved if I don't work for one of those companies?

Educate yourself about Internet protection software and tell your friends. Install security software on your computer and keep it up to date. Contact us if you have questions or suggestions.

The CCSS forum is skeptical of just how meaningful personal firewall "leak testing" really is.

The key assumption of "leak testing" -- namely that measuring the outbound protection of personal firewalls in cases where malware has already executed on the test box -- is a dubious basis on which to build a security assessment. Today's malware is so malicious and cleverly designed that it is often safest to regard PCs as so thoroughly compromised that nothing on the box can be trusted once the malware executes. In short, "leak testing" starts after the game is already lost.

Moreover, "leak testing" is predicated on the further assumption that personal firewalls should warn users about unauthorized outbound connections even when the involved code components are not demonstrably malicious or suspicious (as is the case with simulator programs used for "leak testing"). In fact, this kind of program design risks pop-up fatigue in users, effectively lowering the overall security of the system -- the reason developers are increasingly shunning this design for security applications.

Finally, "leak testing" is conducted with simulator programs, the use of which has already been widely discredited among respected anti-malware researchers (for good reason). Simulators simply cannot approximate the actual behavior of real malware in real world conditions. Still worse, when simulators are used for anti-malware testing, the testing process is almost unavoidably tailored to fit the limitations of simulator instead of the complexity of real world conditions. What gets lost is a sense for how the tested products actually perform against live, kicking malware that exhibits behavior too complex to be captured in narrowly designed simulators.

Because of the inherent problems behind the philosophy of leaktests, the CCSS forum will be supporting dynamic testing that follows the AMTSO guidelines. Dynamic testing provides realistic tests of product efficiency and directly mimics malware executing on a machine. Realistic testing results in more accurate comparisons between security products and more helpful information to the end user. Additional information, including dynamic testing guidelines, can be found on the AMTSO website (www.amtso.com)