[CR2.7: 25] Use a top N bugs list (real data preferred).
The SSG maintains a list of the most important kinds of bugs that it wants to eliminate from the organization’s code and uses it to drive change. It’s okay to start with a generic list pulled from public sources, but a list is much more valuable if it’s specific to the organization and built from real data gathered from code review, testing, and actual incidents. The SSG can periodically update the list and publish a “most wanted” report. (For another way to use the list, see [T1.6 Create and use material specific to company history]). Some firms use multiple tools and real code base data to build top N lists, not constraining themselves to a particular service or tool. One potential pitfall with a top N list is the problem of “looking for your keys only under the street light”—that is, it only includes known problems. For example, the OWASP Top 10 list rarely reflects an organization’s bug priorities. Simply sorting the day’s bug data by number of occurrences doesn’t produce a satisfactory top N list because these data change so often. A top N bugs list should be used to kill bugs.