BSIMM: Confessions of a Software Security Alchemist (informIT)

[coley at linus.mitre.org (Steven M. Christey)]

On Wed, 18 Mar 2009, Gary McGraw wrote:

> "Both early phases of software security made use of any sort of argument
> or 'evidence' to bolster the software security message, and that was
> fine given the starting point. We had lots of examples, plenty of good
> intuition, and the best of intentions. But now the time has come to put
> away the bug parade boogeyman, the top 25 tea leaves, black box web app
> goat sacrifice, and the occult reading of pen testing entrails. The time
> for science is upon us."

Given your critique of Top-N lists and bug parades in this paragraph and
elsewhere, why is a "top N bugs list" explicitly identified in BSIMM
CR1.1, and partially applicable in places like T1.1, T2.1, SFD2.1, SR1.4,
and CR2.1?

- Steve