RE: Charging customers on security

From: Mitchell Hume (MHume_at_betrusted.com)
Date: 09/27/04

  • Next message: ovi: "Re: Charging customers on security"
    Date: Mon, 27 Sep 2004 14:44:15 +1000
    To: <secprog@securityfocus.com>
    
    

    Yes that sounds reasonable... But you don't get security without effort.
    And management is not going bankroll that effort if they don't think
    customers are willing to pay for it. That payment may be clear and up
    front as an "extra" item, or bundled in to the overall cost of a
    product. That means that there is likely to be extra items in your
    estimates for the additional cost of security. These are just the kind
    of things sales teams like to whittle when "massaging" the dev
    estimates.

    I can't help thinking the way forward is to work security requirements
    into the analysis phase. These may be a fairly standard reusable set
    that can be customised for different situations. Spending effort down
    the track is much easier (at least for solutions work) if you can point
    to a requirement and say "We have no choice. We must satisfy the agreed
    requirement or get it written out with a change request".

    Mitch

    -----Original Message-----
    From: wirepair [mailto:wirepair@roguemail.net]
    Sent: Monday, 27 September 2004 8:40 AM
    To: secprog@securityfocus.com
    Subject: Re: Charging customers on security

    Charging for security of your own applications? That seems pretty
    backwards to me. Why should the client who buys your software with the
    expectation that it works and is secure have to pay for the fact that it
    isn't? So when my seat belts are broken, and my tires randomly explode,
    I have to pay the car manufacturer more money to get these features
    fixed?

    duh?
    -wire

    On Thu, 23 Sep 2004 10:16:40 -0700
      King Pang <kingpang@gmail.com> wrote:
    > Hello,
    >
    > Our company developers Microsoft Solutions and I am responsible for
    > leading the security initiative in the corporation. I have spent a
    > lot of time and effort on how we should apply security guidance to our

    > product life cycle, such as adding threat modeling and doing security
    > review. But after I have convinced them that security is important,
    > we brought up a discussion on how we should charge our customers.
    >
    > Many of you have customer experience. They want to pay the minimum
    > and have all the features. If they can choose not to pay, they won't.

    > If we tell them threat modeling will add x human-weeks of development
    > and we have to charge them x thousand dollars more, they won't pay.
    > Moreover, they expect the system to be secure enough and if there is
    > anything wrong, they would think that is our fault.
    >
    > If any of you have any experience on dealing security with customers
    > and how you would deal with this issue, please throw in two cents. Any

    > comments or related articles would help too.
    >
    > Warm Regards.

    --
    Visit Things From Another World for the best
    comics, movies, toys, collectibles and more. http://www.tfaw.com/?qt=wmf
    

  • Next message: ovi: "Re: Charging customers on security"

    Relevant Pages

    • Re: [fw-wiz] Security dumming down - the kings clothes
      ... these networks we have: "it's a trifle chaotic out there". ... responsible for the security portion of this overall process our ... me that our greatest weakness as an industry is not that our customers are ... >>marketing or rhetoric PhD. ...
      (Firewall-Wizards)
    • RE: Charging customers on security
      ... Although far from secure, we do our best to secure it as good as possible. ... I agree that security is the last thing developpers have time for, ... if we don't add, they won't pay the fee next year... ... We already made our customers sign agreements that we didn't take ...
      (SecProg)
    • RE: Charging customers on security
      ... Customers get what they're willing to pay for. ... additional cost of producing a secure and working product, ... >> Charging for security of your own applications? ...
      (SecProg)
    • Re: How do you monetize your skills?
      ... organizations that were dedicate on only the Information Security ... In sales you'll learn that customers that "want" your product/service ... market customer to reach in all of marketing/advertising. ...
      (Pen-Test)
    • Re: Data Center Theft
      ... went wrong, change security and procedures. ... NOT lie to your customers, and put them in the positions that CI Host ... So how is it possible that the facility has been robbed ...
      (bit.listserv.ibm-main)