The Paper emphasizes on the research of quantitative analysis method and world-wide popular"Defense in Depth"security model, based on author's deep understanding and project experience in software security field. For security risk assessment, the paper categorizes the general assessment process, analyzes the advantages/disadvantages and applicability between qualitative and quantitative methodologies, and proposes the applicable assessment process and new quantitative methodology that can adapt to different enterprise and software architectures. For"Defense in Depth"model, the paper analyzes the design thoughts, categorizes and summarizes the security protections on each security layer. The last but the most important, the author proposes a new security solution on Microsoft platforms with integrating the methodologies on quantitative risk assessment and Defense in Depth model, which is based on author's experience on products and projects and has been verified with real implementations. |