ormandy and sophos and security research

Tavis Ormandy and Sophos are being mentioned again in the same headlines, particularly for Tavis releasing a security report on Sophos Antivirus [pdf], a Sophos response, and a CSO.com posting dropping the, “says the product should be kept away from high value information system,” faux-quote.

Whew! There’s never any winning in situations like this. Either a company patches too quickly and recklessly, or patches too slow, with “slow” being an entirely subjective term. Software has bugs and shouldn’t be trusted as secure, but yet all software has issues eventually. Response is the key, but again we dive into subjective terms.

Either way, consumers benefit from the knowledge being out there and progress being made, both from researchers poking at systems and companies improving because of it. I think it’s a bit melodramatic to suggest for others to not use a product, but that’s an opinion that can be weighed along with one’s own risk judgement.