What does the online security management of the website business system do? (According to SDL Microsoft Security Development) How to build a security technology protection framework for enterprises? (

What does the online security management of the website business system do? (According to SDL Microsoft Security Development) How to build a security technology protection framework for enterprises? (It needs to be related to Class III requirements, which is required by safety equipment). What do information security professionals need to manage as carefully as possible? Stage 1: all members of the training and development team must receive corresponding safety training and understand relevant safety knowledge, including developers, testers, project managers, product managers, etc. The second stage: before the project is approved, it is necessary to communicate with the project manager or product leader in advance to determine the safety requirements and what needs to be done. Confirm the project plan and milestones, and try to avoid delaying the release of the project due to security problems. Stage 3: Quality Pass/Defect Column Quality Pass and Defect Column are used to determine the minimum acceptable level of security and privacy quality. Bug column is a quality gate applied to the whole development project, which is used to define the severity threshold of security vulnerabilities. For example, an application must not contain known vulnerabilities rated as "critical" or "critical" when it is published. Once you set the Bug bar, you must not relax. The fourth stage: security and privacy risk assessment. Security risk assessment (SRA) and privacy risk assessment (PRA) are necessary processes, which must include the following information: 1, which parts of the (security) project need a threat model before release? 2. What parts of the (safety) project need safety design evaluation before release? 3. What parts of the (safety) project need to be penetration tested by a team that is recognized by both parties and doesn't like the project team? 4. (Safety) Are there any testing or analysis requirements that the safety consultant thinks are necessary to mitigate safety risks? 5. What is the specific scope of (safety) fuzzy test requirements? 6. What is a (security) privacy impact rating? The fifth stage: design requirements: security and privacy issues should be seriously considered in the design stage, and security requirements should be determined in the initial stage of the project to avoid changes in requirements caused by security as much as possible. Stage 6: Reducing attack surface is closely related to threat modeling, but it solves the security problem from a slightly different angle. Reducing the attack surface can reduce the opportunity for attackers to take advantage of potential weaknesses or vulnerabilities, thus reducing risks. Reducing the attack surface includes: closing or restricting access to system services, applying the "least privilege principle" and carrying out layered defense as much as possible. Stage 7: Threat Modeling: Build a model of the threat faced by the project or product, and clarify where the attack may come from. Stage 8: The use of editors, linkers and other related tools used by the designated tool development team may involve some security-related links, and it is necessary to communicate with the security team about the version of the tools used in advance. Stage 9: Abandon unsafe functions. Many commonly used functions may have security risks. Unsafe functions and APIs should be disabled and functions recommended by the security team should be used. Stage 10: static analysis code static analysis can be completed with the help of related tools, and the results are combined with manual analysis. Stage 1 1: Dynamic program analysis Dynamic analysis is a supplement to static analysis and is used to test the security of the program. Fuzzy test Fuzzy test is a special form of dynamics.