BSIMM: Confessions of a Software Security Alchemist (informIT)

[gem at cigital.com (Gary McGraw)]

Hi Steve,

Because it is about building a top N list FOR A PARTICULAR ORGANIZATION.  You and I have discussed this many times.  
The generic top 25 is unlikely to apply to any particular organization.  The notion of using that as a driver for 
software purchasing is insane.  On the other hand if organization X knows what THEIR top 10 bugs are, that has real 
value.

See the examples under that practice.

gem


On 3/18/09 5:21 PM, "Steven M. Christey" <coley at linus.mitre.org> wrote:



On Wed, 18 Mar 2009, Gary McGraw wrote:

> "Both early phases of software security made use of any sort of argument
> or 'evidence' to bolster the software security message, and that was
> fine given the starting point. We had lots of examples, plenty of good
> intuition, and the best of intentions. But now the time has come to put
> away the bug parade boogeyman, the top 25 tea leaves, black box web app
> goat sacrifice, and the occult reading of pen testing entrails. The time
> for science is upon us."

Given your critique of Top-N lists and bug parades in this paragraph and
elsewhere, why is a "top N bugs list" explicitly identified in BSIMM
CR1.1, and partially applicable in places like T1.1, T2.1, SFD2.1, SR1.4,
and CR2.1?

- Steve