Re: Charging customers on security

From: Adam Shostack (
Date: 09/27/04

  • Next message: ovi: "Re: Charging customers on security"
    Date: Mon, 27 Sep 2004 12:20:55 -0400
    To: wirepair <>

    You could point out that microsoft and oracle are advertising the
    security and reliability of their applications, and it may be a
    competitive advantage if you devote resources to it.


    On Sun, Sep 26, 2004 at 02:40:29PM -0800, wirepair wrote:
    | Charging for security of your own applications? That seems pretty backwards
    | to me. Why should
    | the client who buys your software with the expectation that it works and is
    | secure have to
    | pay for the fact that it isn't? So when my seat belts are broken, and my
    | tires randomly explode,
    | I have to pay the car manufacturer more money to get these features fixed?
    | duh?
    | -wire
    | On Thu, 23 Sep 2004 10:16:40 -0700
    | King Pang <> wrote:
    | >Hello,
    | >
    | >Our company developers Microsoft Solutions and I am responsible for
    | >leading the security initiative in the corporation. I have spent a
    | >lot of time and effort on how we should apply security guidance to our
    | >product life cycle, such as adding threat modeling and doing security
    | >review. But after I have convinced them that security is important,
    | >we brought up a discussion on how we should charge our customers.
    | >
    | >Many of you have customer experience. They want to pay the minimum
    | >and have all the features. If they can choose not to pay, they won't.
    | >If we tell them threat modeling will add x human-weeks of development
    | >and we have to charge them x thousand dollars more, they won't pay.
    | >Moreover, they expect the system to be secure enough and if there is
    | >anything wrong, they would think that is our fault.
    | >
    | >If any of you have any experience on dealing security with customers
    | >and how you would deal with this issue, please throw in two cents. Any
    | >comments or related articles would help too.
    | >
    | >Warm Regards.
    | --
    | Visit Things From Another World for the best
    | comics, movies, toys, collectibles and more.

  • Next message: ovi: "Re: Charging customers on security"