[SC-L] BSIMM: Confessions of a Software Security Alchemist (informIT)
Gary McGraw
gem at cigital.com
Wed Mar 18 16:25:55 EST 2009
Hi Steve,
Because it is about building a top N list FOR A PARTICULAR ORGANIZATION. You and I have discussed this many times. The generic top 25 is unlikely to apply to any particular organization. The notion of using that as a driver for software purchasing is insane. On the other hand if organization X knows what THEIR top 10 bugs are, that has real value.
See the examples under that practice.
gem
On 3/18/09 5:21 PM, "Steven M. Christey" <coley at linus.mitre.org> wrote:
On Wed, 18 Mar 2009, Gary McGraw wrote:
> "Both early phases of software security made use of any sort of argument
> or 'evidence' to bolster the software security message, and that was
> fine given the starting point. We had lots of examples, plenty of good
> intuition, and the best of intentions. But now the time has come to put
> away the bug parade boogeyman, the top 25 tea leaves, black box web app
> goat sacrifice, and the occult reading of pen testing entrails. The time
> for science is upon us."
Given your critique of Top-N lists and bug parades in this paragraph and
elsewhere, why is a "top N bugs list" explicitly identified in BSIMM
CR1.1, and partially applicable in places like T1.1, T2.1, SFD2.1, SR1.4,
and CR2.1?
- Steve
More information about the SC-L
mailing list