Software, security, patches, and others

Last week, Sun Peng and Ma ning were invited to serve as judges for the Microsoft Gold Medal Award. one of the contestants asked a series of questions:
Why does Microsoft keep providing patches? Is Windows operating system insecure?
What should I do if the system administrator has too much permissions?
If it is technically safe?
And so on ......

At that time, I couldn't talk to him in detail, so I had to clarify my views here:
1. No Safe Security
2. Security is not just a technical issue. security should be a complete system from system to management to trust system to implementation to technology.
3. both CIW and ICA systems emphasize the decentralization of rights. Therefore, a well-designed system should combine system permissions, business permissions, and data permissions without overlap. In particular, authorization separation between applications and data must be well performed.
4. permissions are not forbidden, but granted. All permissions of Non-public or transparent internal applications should be deny by default, which can be assigned as needed, delayed authorization, and received upon use.
5. Technically, you must design a security system that suits you. Many systems do not use user groups, permissions, roles, and other methods for organization.
6. the quality of software, including security, should be dynamically improved and continuously improved. It is impossible to expect that the software will not be able to change after the codecomplete is designed perfectly.

Let's continue to add new ideas.