Common IT Security Alert Systems II

I had posted my thoughts about having a common software flaw rating system in October. The National Infrastructure Advisory Council, a group of 30 companies that advises President Bush, commissioned a Common Vulnerability Scoring System (CVSS). The CVSS is the first step towards what I had said. The system needs to mature over several cycles and should have the support of the entire industry to work as it is intended to, not just a select group of organizations. Microsoft for some reasons is not supporting it. As per the email from a Microsoft spokeswoman, Microsoft has no immediate plans to adopt the CVSS.

I had planned to really stop here, but as I thought about this while I wrote, a question came to my mind, why does Microsoft has to be the last to adopt (if at all) industry standards? Or does it feel that it is above the industry and should create its own standards and that by adopting industry standards which have been initiated and developed by someone else, its value is going to go down? Microsoft has for long created its own standards and as a result, the Microsoft standards are not so secure. The benefit and purpose of having the industry contibute to a standard is like having a brainstorming session, other people tend to see what you might not see or miss. By adopting and confirming to industry standards, Microsoft will indeed make the computing world a lot better and lot secure. There already are signs (although very small) that Microsoft is finally ready to adopt XML standards in the next version of Office suite which is due to hit Beta sometime by the end of this year.