Re: Charging customers on security

From: S. M. (vel_at_sympatico.ca)
Date: 09/28/04

  • Next message: Michael Wojcik: "RE: Charging customers on security"
    To: "Adam Shostack" <adam@homeport.org>, "wirepair" <wirepair@roguemail.net>
    Date: Tue, 28 Sep 2004 13:33:09 -0700
    
    

    I used to work on a help desk for an ISP. Many times I would get calls from
    customers who would get hit by the Blaster worm or some variant. Even though
    these customers had the company's Anti Virus and Firewall they would blame
    us for having caught a Worm. The Blaster worm exploits a vulnerability in
    Windows 2000 and XP operating System. They caught the worm because of the
    vulnerability in the OS. Also AV's and FW's reduce the risk of getting
    infected or having your system compromised, not eliminate it.

    Moral of the story: There are a lot of users out there without any computer
    knowledge operating systems that were more powerful than the one on the
    first Moon mission. So be upfront and spell it out upfront in the agreement.
    Think about it: Will your car manufacturer car warranty pay for wear and
    tear: such as Brake pads, etc. NO ! Or does Insurance pay for Acts of God
    such as Floods. No. ! Or if the Bank goes bankrupt and you had a Million
    dollars in the bank acocunt. Will your bank compensate you the full
    1,000,000 dollars . NO ! It will only compensate you the CDIC limit of
    60,000 dollars.

    It is a fine line. Their expectation for a secure application is reasonable.
    The question is,how do you quantify reasonable ?

    Cheers.

    ----- Original Message -----
    From: "Adam Shostack" <adam@homeport.org>
    To: "wirepair" <wirepair@roguemail.net>
    Cc: <secprog@securityfocus.com>
    Sent: Monday, September 27, 2004 9:20 AM
    Subject: Re: Charging customers on security

    > You could point out that microsoft and oracle are advertising the
    > security and reliability of their applications, and it may be a
    > competitive advantage if you devote resources to it.
    >
    > Adam
    >
    > On Sun, Sep 26, 2004 at 02:40:29PM -0800, wirepair wrote:
    > | Charging for security of your own applications? That seems pretty
    backwards
    > | to me. Why should
    > | the client who buys your software with the expectation that it works and
    is
    > | secure have to
    > | pay for the fact that it isn't? So when my seat belts are broken, and my
    > | tires randomly explode,
    > | I have to pay the car manufacturer more money to get these features
    fixed?
    > |
    > | duh?
    > | -wire
    > |
    > | On Thu, 23 Sep 2004 10:16:40 -0700
    > | King Pang <kingpang@gmail.com> wrote:
    > | >Hello,
    > | >
    > | >Our company developers Microsoft Solutions and I am responsible for
    > | >leading the security initiative in the corporation. I have spent a
    > | >lot of time and effort on how we should apply security guidance to our
    > | >product life cycle, such as adding threat modeling and doing security
    > | >review. But after I have convinced them that security is important,
    > | >we brought up a discussion on how we should charge our customers.
    > | >
    > | >Many of you have customer experience. They want to pay the minimum
    > | >and have all the features. If they can choose not to pay, they won't.
    > | >If we tell them threat modeling will add x human-weeks of development
    > | >and we have to charge them x thousand dollars more, they won't pay.
    > | >Moreover, they expect the system to be secure enough and if there is
    > | >anything wrong, they would think that is our fault.
    > | >
    > | >If any of you have any experience on dealing security with customers
    > | >and how you would deal with this issue, please throw in two cents. Any
    > | >comments or related articles would help too.
    > | >
    > | >Warm Regards.
    > |
    > | --
    > | Visit Things From Another World for the best
    > | comics, movies, toys, collectibles and more.
    > | http://www.tfaw.com/?qt=wmf
    >


  • Next message: Michael Wojcik: "RE: Charging customers on security"

    Relevant Pages

    • RE: Charging customers on security
      ... Although far from secure, we do our best to secure it as good as possible. ... I agree that security is the last thing developpers have time for, ... if we don't add, they won't pay the fee next year... ... We already made our customers sign agreements that we didn't take ...
      (SecProg)
    • RE: Charging customers on security
      ... Customers get what they're willing to pay for. ... additional cost of producing a secure and working product, ... >> Charging for security of your own applications? ...
      (SecProg)
    • RE: Charging customers on security
      ... I think your idea of layered security will work quite well. ... I was thinking if it is possible to charge customers in different ... > quite a few that will gladly pay fair for it, ... > If you are building software that you sell commercially, ...
      (SecProg)
    • RE: Charging customers on security
      ... "How much do I get paid for not writing crappy code?" ... Maybe this is why I'm a security analyst and not a programmer. ... > that it works and is secure have to pay for the fact that it isn't? ... >> we brought up a discussion on how we should charge our customers. ...
      (SecProg)
    • Re: Charging customers on security
      ... the code will be secure. ... Aspect Security, Inc. ... > I have to pay the car manufacturer more money to get these features fixed? ... >> we brought up a discussion on how we should charge our customers. ...
      (SecProg)