The blog has been discussing very specific technical issues. However, security is never a pure technical problem. It involves laws, society, and economy. Now, let's look at the major security issues that software companies face.
Simply put, I think a software enterprise needs to consider the following four levels of security issues:
I. Physical Security.
2. Internal/IT security
Iii. Operational security
Iv. Software Product Security
These four aspects are from low to high, from general to special. Specifically:
Physical security: physical
Security. In fact, every enterprise must consider this security consideration, whether it is a software enterprise or even an internal IT. For example, confidential enterprise data, such as the security of financial statements. The company's personnel access security regulations and so on.
Internal IT security: it
Security. Only enterprises that require internal IT support need to consider whether it is a software enterprise or not. For example, it internal network security issues, machine patch installation, domain settings, and so on.
Operational security: Operation
Security. Enterprises that provide (software) services need to consider. For example, security issues of external service websites, server traffic control (Against DoS), and so on. Note the difference between this and internal IT security, because the threats to be addressed are uncontrollable factors from the outside.
Software Product Security: Product
Security. Enterprises that provide software products need to consider. However, the true emphasis on software product security is closely related to the enterprise's development stage. In other words, only when software enterprises develop to their own product security will affect their product profits, this security consideration will be paid attention. This can be clearly seen from Microsoft's own development history.