[monocasa]

The contracts are rarely specifying stuff like antivirus explicitly, but instead compliance with one or more of the security standards like PCI DSS. Those say you have to use antivirus, but they all have an escape hatch called a "compensating control" which is basically "we solved the problem this is trying to solve this other way that's more conducive to our overall security posture, and got the auditor to agree with us".

[bennyelv]

My source: I review a lot of contracts. It's very common for things to be explicitly required.

Yes you can go back and forth and argue the toss, but it pushes up the cost of the sale and forces your customer to navigate a significant amount of bureaucracy to get a contract agreed. Or you could just run AV like they asked you to...

[pas]

Wait, I thought in this case we are the customer!? Okay what kind of contracts are we talking about? :D

[aflukasz]

Can you propose an example of a compensating control for an "antivirus" that had a chance to pass? Would you propose something like custom SELinux/Apparmor setup + maybe auditd with alerting? Or some Windows equivalent of those.

[fragmede]

compensating controls ftw. the spirit of the law vs the letter of the law. our system was more secure with the compensating controls, vs the prescribed design. this meant no having to rotate passwords because fuck that noise.