A large company is doing a review of our software before they will use the web software built by our start-up company. We are using Linux to host, which is properly secured and hardened.
The regulation of the security reviewer is that all computers and servers must have anti-virus program. Obviously, telling them that Linux can't be infected by a virus wont work.
Is there a 3rd party security article or resource which could help us convince them to drop the requirement, or will we need to install ClamAV and make it burn some CPU once a day?
Best Answer
Yes, it's certainly a reasonable request. The day you deny that your infrastructure is vulnerable to virus threats is the day you've lost a great deal of credibility.
You need to weigh the ramifications (annoyance factor, possible performance issues, maintenance overhead) of running AV with the value of this contract. If one company is listing AV as a requirement, it's likely that others will do the same in the future. If you're already running it, you'll be well-positioned to win their business.