Defenders use lists because they have to manage hundreds and thousands of assets at the same time. What do you do when you have to manage a ton of things? You make a list. You go through that list. You apply a checklist.
Now should defenders also make dependency graphs too? Sure, but they should be making lists first before dependency graphs and making sure things are up to date, that they assume limited trust, and that resources are isolated. Then they should make dependency graphs.
“Defenders have to think in list and graphs and manage a billion things. Attackers just have to look at a few things.”
in this scenario you seem to be arguing lists as the basis of graphs - this is still the authors point, and a subtle but critical difference in how the problem is approached by defenders.
You have to have the insight to pivot your list into a graph, otherwise you just have a list of Crown Jewels and play whack-a-mole on the 10000s of ways they can be reached that you didn't consider.
Now should defenders also make dependency graphs too? Sure, but they should be making lists first before dependency graphs and making sure things are up to date, that they assume limited trust, and that resources are isolated. Then they should make dependency graphs.
“Defenders have to think in list and graphs and manage a billion things. Attackers just have to look at a few things.”