Re: Charging customers on security
From: Adam Shostack (adam_at_homeport.org)
Date: Mon, 27 Sep 2004 12:20:55 -0400 To: wirepair <email@example.com>
You could point out that microsoft and oracle are advertising the
security and reliability of their applications, and it may be a
competitive advantage if you devote resources to it.
On Sun, Sep 26, 2004 at 02:40:29PM -0800, wirepair wrote:
| Charging for security of your own applications? That seems pretty backwards
| to me. Why should
| the client who buys your software with the expectation that it works and is
| secure have to
| pay for the fact that it isn't? So when my seat belts are broken, and my
| tires randomly explode,
| I have to pay the car manufacturer more money to get these features fixed?
| On Thu, 23 Sep 2004 10:16:40 -0700
| King Pang <firstname.lastname@example.org> wrote:
| >Our company developers Microsoft Solutions and I am responsible for
| >leading the security initiative in the corporation. I have spent a
| >lot of time and effort on how we should apply security guidance to our
| >product life cycle, such as adding threat modeling and doing security
| >review. But after I have convinced them that security is important,
| >we brought up a discussion on how we should charge our customers.
| >Many of you have customer experience. They want to pay the minimum
| >and have all the features. If they can choose not to pay, they won't.
| >If we tell them threat modeling will add x human-weeks of development
| >and we have to charge them x thousand dollars more, they won't pay.
| >Moreover, they expect the system to be secure enough and if there is
| >anything wrong, they would think that is our fault.
| >If any of you have any experience on dealing security with customers
| >and how you would deal with this issue, please throw in two cents. Any
| >comments or related articles would help too.
| >Warm Regards.
| Visit Things From Another World for the best
| comics, movies, toys, collectibles and more.