Re: Charging customers on security

From: Adam Shostack (adam_at_homeport.org)
Date: 09/27/04

  • Next message: ovi: "Re: Charging customers on security"
    Date: Mon, 27 Sep 2004 12:20:55 -0400
    To: wirepair <wirepair@roguemail.net>
    
    

    You could point out that microsoft and oracle are advertising the
    security and reliability of their applications, and it may be a
    competitive advantage if you devote resources to it.

    Adam

    On Sun, Sep 26, 2004 at 02:40:29PM -0800, wirepair wrote:
    | Charging for security of your own applications? That seems pretty backwards
    | to me. Why should
    | the client who buys your software with the expectation that it works and is
    | secure have to
    | pay for the fact that it isn't? So when my seat belts are broken, and my
    | tires randomly explode,
    | I have to pay the car manufacturer more money to get these features fixed?
    |
    | duh?
    | -wire
    |
    | On Thu, 23 Sep 2004 10:16:40 -0700
    | King Pang <kingpang@gmail.com> wrote:
    | >Hello,
    | >
    | >Our company developers Microsoft Solutions and I am responsible for
    | >leading the security initiative in the corporation. I have spent a
    | >lot of time and effort on how we should apply security guidance to our
    | >product life cycle, such as adding threat modeling and doing security
    | >review. But after I have convinced them that security is important,
    | >we brought up a discussion on how we should charge our customers.
    | >
    | >Many of you have customer experience. They want to pay the minimum
    | >and have all the features. If they can choose not to pay, they won't.
    | >If we tell them threat modeling will add x human-weeks of development
    | >and we have to charge them x thousand dollars more, they won't pay.
    | >Moreover, they expect the system to be secure enough and if there is
    | >anything wrong, they would think that is our fault.
    | >
    | >If any of you have any experience on dealing security with customers
    | >and how you would deal with this issue, please throw in two cents. Any
    | >comments or related articles would help too.
    | >
    | >Warm Regards.
    |
    | --
    | Visit Things From Another World for the best
    | comics, movies, toys, collectibles and more.
    | http://www.tfaw.com/?qt=wmf


  • Next message: ovi: "Re: Charging customers on security"

    Relevant Pages

    • Re: More on jobs & immigrants
      ... >> don't get paid, and we all NEED the pay because if we don't get that pay, ... >> the doctor no one challenges the doctor to give a ... > imagine that, perhaps, most people are actually "sheeple". ... > security they sacrifice their freedoms for is but an illusion. ...
      (sci.research.careers)
    • RE: Easy security question, quick answer needed
      ... Apply Microsoft Access User Level security and provide the applications you ... WorkGroup Information File to use. ...
      (microsoft.public.access.security)
    • Re: Recomended reading for 070-330
      ... Microsoft Visual Basic .NET and Microsoft Visual C# .NET ... Building Secure Microsoft ASP.NET Applications ... NET Framework Security ...
      (microsoft.public.cert.exam.mcad)
    • Re: Recomended reading for 070-330
      ... Microsoft Visual Basic .NET and Microsoft Visual C# .NET ... Building Secure Microsoft ASP.NET Applications ... NET Framework Security ...
      (microsoft.public.cert.exam.mcsd)
    • Re: [Full-disclosure] EE BrightBox router hacked - bares all if you ask nicely
      ... True, some sort of legislation might do the trick, but there is always ... we'll be forcing end users to pay more for something they ... With regards to security costs, ... Hosted and sponsored by Secunia - http://secunia.com/ ...
      (Full-Disclosure)