On Wed, 18 Mar 2009, Gary McGraw wrote: > "Both early phases of software security made use of any sort of argument > or 'evidence' to bolster the software security message, and that was > fine given the starting point. We had lots of examples, plenty of good > intuition, and the best of intentions. But now the time has come to put > away the bug parade boogeyman, the top 25 tea leaves, black box web app > goat sacrifice, and the occult reading of pen testing entrails. The time > for science is upon us."
Given your critique of Top-N lists and bug parades in this paragraph and elsewhere, why is a "top N bugs list" explicitly identified in BSIMM CR1.1, and partially applicable in places like T1.1, T2.1, SFD2.1, SR1.4, and CR2.1? - Steve _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________