RE: Charging customers on security

• Previous message: King Pang: "Re: Charging customers on security"
• In reply to: ovi: "Re: Charging customers on security"
• Next in thread: Glynn Clements: "Re: Charging customers on security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <secprog@securityfocus.com>
Date: Mon, 27 Sep 2004 18:24:07 +0200

Hi,

I'm administrator of an online game, located at www.shimlar.com
Although far from secure, we do our best to secure it as good as possible.
Why? Not because we're payed... it's a 100% free game.
We only do that to make OUR workload less.

Example? If someone claims he's hacked, we can reply: "Why aren't the admin
accounts never hacked? Change your password and keep it safe."
If we would have a lousy security, we would have to solve every little
problem...

I agree that security is the last thing developpers have time for, sad as it
seems.
That's why software shouldn't be sold... but rented.

At work, we develop a webapplication. If customers want extra's, we'll add
them, for a price.
It's a two way street: if we don't add, they won't pay the fee next year...
but if they don't pay, they have a lousy application.
Walking the thin line, but it works.

We already made our customers sign agreements that we didn't take
responsability if certain things weren't implemented.

Koen

-----Original Message-----
From: ovi [mailto:marioara.alexandru@tin.it]
Sent: Monday, September 27, 2004 3:57 PM
To: secprog@securityfocus.com
Subject: Re: Charging customers on security

It's ridiculous. What are you saying ?? If I as a client, don't pay you for
having a stable and secure program you sell me a buggy one???? Not even M$
is
thinking this way anymore, although they continue to sell buggy OS.

On Sunday 26 September 2004 22:40, wirepair wrote:
> Charging for security of your own applications? That seems pretty
backwards
> to me. Why should the client who buys your software with the expectation
> that it works and is secure have to pay for the fact that it isn't? So
when
> my seat belts are broken, and my tires randomly explode, I have to pay the
> car manufacturer more money to get these features fixed?
>
> duh?
> -wire
>
> On Thu, 23 Sep 2004 10:16:40 -0700
>
> King Pang <kingpang@gmail.com> wrote:
> > Hello,
> >
> > Our company developers Microsoft Solutions and I am responsible for
> > leading the security initiative in the corporation. I have spent a
> > lot of time and effort on how we should apply security guidance to our
> > product life cycle, such as adding threat modeling and doing security
> > review. But after I have convinced them that security is important,
> > we brought up a discussion on how we should charge our customers.
> >
> > Many of you have customer experience. They want to pay the minimum
> > and have all the features. If they can choose not to pay, they won't.
> > If we tell them threat modeling will add x human-weeks of development
> > and we have to charge them x thousand dollars more, they won't pay.
> > Moreover, they expect the system to be secure enough and if there is
> > anything wrong, they would think that is our fault.
> >
> > If any of you have any experience on dealing security with customers
> > and how you would deal with this issue, please throw in two cents. Any
> > comments or related articles would help too.
> >
> > Warm Regards.
>
> --
> Visit Things From Another World for the best
> comics, movies, toys, collectibles and more.
> http://www.tfaw.com/?qt=wmf

• Previous message: King Pang: "Re: Charging customers on security"
• In reply to: ovi: "Re: Charging customers on security"
• Next in thread: Glynn Clements: "Re: Charging customers on security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]