RE: Charging customers on security

From: Ton Geurts (Geurts_at_vanveen.nl)
Date: 09/27/04

  • Next message: Steve Friedl: "Re: Charging customers on security"
    To: secprog@securityfocus.com
    Date: Mon, 27 Sep 2004 16:14:04 +0200
    
    

    Yes, you do have to pay the car manufacturer for better tires and good
    seatbelts. Why did you expect the car was that cheap in the first place? In
    the IT customers expect a Mercedes while not wanting to pay more than the
    price of a second hand Subaru.

    If your customer is not willing to pay for a security update for the current
    product, you have three possibilities:
    1. Sell your customer a new product and emphasize the enhanced security. Add
    a couple of other great features to make it convincing, tell him the current
    version will no longer be supported Q2-2005, etcetera. Again that is a nice
    task for the sales dep.
    2. Let your customer pay for security enhancements and other bugs through
    maintenance subscriptions. That way he pays in advance for mistakes you (or
    others) will discover. If your customer is willing to pay even more for his
    subscription he can get tailor made patches that fit his companies.
    3. If your sales staff can't sell security in a time like this: fire the
    entire sales department and hire a new one. They always manage to sell the
    biggest nonsense and let us developers solve the problems they have created.
    For once they should earn their living :-)

    Don't forget to read the Dilbert cartoons. They are very educating on these
    matters.

    GRTNX from Holland,
    Ton

    -----Original Message-----
    From: wirepair [mailto:wirepair@roguemail.net]
    Sent: zondag 26 september 2004 23:40
    To: secprog@securityfocus.com
    Subject: Re: Charging customers on security

    Charging for security of your own applications? That seems pretty backwards
    to me. Why should
    the client who buys your software with the expectation that it works and is
    secure have to
    pay for the fact that it isn't? So when my seat belts are broken, and my
    tires randomly explode,
    I have to pay the car manufacturer more money to get these features fixed?

    duh?
    -wire

    On Thu, 23 Sep 2004 10:16:40 -0700
      King Pang <kingpang@gmail.com> wrote:
    > Hello,
    >
    > Our company developers Microsoft Solutions and I am responsible for
    > leading the security initiative in the corporation. I have spent a
    > lot of time and effort on how we should apply security guidance to our
    > product life cycle, such as adding threat modeling and doing security
    > review. But after I have convinced them that security is important,
    > we brought up a discussion on how we should charge our customers.
    >
    > Many of you have customer experience. They want to pay the minimum
    > and have all the features. If they can choose not to pay, they won't.
    > If we tell them threat modeling will add x human-weeks of development
    > and we have to charge them x thousand dollars more, they won't pay.
    > Moreover, they expect the system to be secure enough and if there is
    > anything wrong, they would think that is our fault.
    >
    > If any of you have any experience on dealing security with customers
    > and how you would deal with this issue, please throw in two cents. Any
    > comments or related articles would help too.
    >
    > Warm Regards.

    --
    Visit Things From Another World for the best
    comics, movies, toys, collectibles and more.
    http://www.tfaw.com/?qt=wmf
    

  • Next message: Steve Friedl: "Re: Charging customers on security"

    Relevant Pages

    • Re: Charging customers on security
      ... If you can define what your customer considers "secure ... scope documents that clearly state what security controls and provisions are ... such as adding threat modeling and doing security ... If they can choose not to pay, ...
      (SecProg)
    • Re: More on jobs & immigrants
      ... >> don't get paid, and we all NEED the pay because if we don't get that pay, ... >> the doctor no one challenges the doctor to give a ... > imagine that, perhaps, most people are actually "sheeple". ... > security they sacrifice their freedoms for is but an illusion. ...
      (sci.research.careers)
    • Re: [Full-disclosure] EE BrightBox router hacked - bares all if you ask nicely
      ... True, some sort of legislation might do the trick, but there is always ... we'll be forcing end users to pay more for something they ... With regards to security costs, ... Hosted and sponsored by Secunia - http://secunia.com/ ...
      (Full-Disclosure)
    • Re: [Full-disclosure] EE BrightBox router hacked - bares all if you ask nicely
      ... of my developers to use security best practises as they develop. ... be sure work is completed to a professional standard. ... you it all comes down to costs and who is going to pay. ... having a secure device/service/whatever brings in expenses. ...
      (Full-Disclosure)
    • Re: This may be goodbye..
      ... I was in the same situation in 1998.My child support payments were,$150.00 ... security DECISION.it TOOK OVER 21/2 YEARS.I OWED over $19,000.00.Sorry hit ... It was not $150 a week as ordered in the divorce agreement.The judge changed ... Social Security will not pay yours if any ...
      (alt.support.chronic-pain)