RE: Charging customers on security

From: Michael Wojcik (Michael.Wojcik_at_microfocus.com)
Date: 09/29/04

  • Next message: Glenn_Everhart_at_bankone.com: "RE: Charging customers on security"
    To: secprog@securityfocus.com
    Date: Wed, 29 Sep 2004 10:46:58 -0700
    
    

    > From: Wesley Shields [mailto:wxs@csh.rit.edu]
    > Sent: Tuesday, 28 September, 2004 16:29
    >
    > On Tue, Sep 28, 2004 at 04:12:54AM +0100, Glynn Clements wrote:
    >
    > > There's nothing ridiculous about the cost to the client reflecting the
    > > development costs. Implementing security features takes time and
    > > therefore costs money.
    >
    > Yes, and there is no excuse for not expending that effort.

    Staying in business, so you can continue to develop, sell, and maintain the
    software, is a perfectly good excuse.

    > Keeping the cost to a customer low is a sound business decision,

    It's the only reasonable decision if it makes the difference between success
    and failure. Software firms that go out of business do not improve the
    state of software security.

    > but it quickly
    > becomes outweighed by the number of bugs left open when not expending
    > the effort to fix them because it will cost more money.

    Historically this has not been true. The most profitable software companies
    have not had to ensure their software is even close to bug-free. Why do you
    believe the situation has changed?

    > Personally, I'd rather pay more to know that the code was developed as
    > best as it can possibly be developed than to pay less knowing
    > there are some bugs.

    Great. You just convince everyone else who buys software, and we'll all
    start shipping only bug-free product.

    (Why do so many people on this list believe that their opinion governs the
    software marketplace? If it did, we wouldn't have these problems - the
    market would have enforced software security long ago.)

    -- 
    Michael Wojcik
    Principal Software Systems Developer, Micro Focus
    

  • Next message: Glenn_Everhart_at_bankone.com: "RE: Charging customers on security"

    Relevant Pages

    • RE: Concepts: Security and Obscurity
      ... resources are limited and thus there is a cost to life. ... It is not obscurity in the manner being ... more you spend on security the less of an advantage is gained. ... It also ignores the requirements of a control function. ...
      (Security-Basics)
    • RE: Concepts: Security and Obscurity
      ... International Journal of Social Economics ... Security is an economic decision. ... risk and always cost. ... Subject: Concepts: Security and Obscurity ...
      (Security-Basics)
    • RE: Impact of Global recession on Security !
      ... Intimate with clients? ... Cost and efficiency projects still need security. ... Impact of Global recession on Security! ...
      (Security-Basics)
    • RE: Concepts: Security and Obscurity
      ... I have at no point claimed absolute security measures or cost ... nothing to do with security is pure head in the sand ignorance. ... It also ignores the requirements of a control function. ... of transformation pressure " Cambridge Journal of Economics, ...
      (Security-Basics)
    • Re: [fw-wiz] tunnel vs open a hole
      ... better code, better testing, implies larger cost. ... MS IIS has bugs, bugs are reported in the industry news, bugs get fixed. ... How many CEOs have lost their job due to an Internet break-in? ... How many companies have gone out of business due to a bad security tool ...
      (Firewall-Wizards)