Secure Coding mailing list archives
BSIMM: Confessions of a Software Security Alchemist (informIT)
From: gem at cigital.com (Gary McGraw)
Date: Wed, 18 Mar 2009 17:25:55 -0400
Hi Steve, Because it is about building a top N list FOR A PARTICULAR ORGANIZATION. You and I have discussed this many times. The generic top 25 is unlikely to apply to any particular organization. The notion of using that as a driver for software purchasing is insane. On the other hand if organization X knows what THEIR top 10 bugs are, that has real value. See the examples under that practice. gem On 3/18/09 5:21 PM, "Steven M. Christey" <coley at linus.mitre.org> wrote: On Wed, 18 Mar 2009, Gary McGraw wrote:
"Both early phases of software security made use of any sort of argument or 'evidence' to bolster the software security message, and that was fine given the starting point. We had lots of examples, plenty of good intuition, and the best of intentions. But now the time has come to put away the bug parade boogeyman, the top 25 tea leaves, black box web app goat sacrifice, and the occult reading of pen testing entrails. The time for science is upon us."
Given your critique of Top-N lists and bug parades in this paragraph and elsewhere, why is a "top N bugs list" explicitly identified in BSIMM CR1.1, and partially applicable in places like T1.1, T2.1, SFD2.1, SR1.4, and CR2.1? - Steve
Current thread:
- BSIMM: Confessions of a Software Security Alchemist (informIT) Gary McGraw (Mar 18)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Steven M. Christey (Mar 18)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Gary McGraw (Mar 18)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Steven M. Christey (Mar 18)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Gary McGraw (Mar 18)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Steven M. Christey (Mar 18)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Stephan Neuhaus (Mar 19)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Gary McGraw (Mar 19)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Stephan Neuhaus (Mar 19)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Gary McGraw (Mar 18)
- BSIMM: Confessions of a Software Security Alchemist (informIT) John Steven (Mar 19)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Gary McGraw (Mar 19)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Jim Manico (Mar 19)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Gary McGraw (Mar 19)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Steven M. Christey (Mar 18)