Yes, you do have to pay the car manufacturer for better tires and good
seatbelts. Why did you expect the car was that cheap in the first place? In
the IT customers expect a Mercedes while not wanting to pay more than the
price of a second hand Subaru.
If your customer is not willing to pay for a security update for the current
product, you have three possibilities:
1. Sell your customer a new product and emphasize the enhanced security. Add
a couple of other great features to make it convincing, tell him the current
version will no longer be supported Q2-2005, etcetera. Again that is a nice
task for the sales dep.
2. Let your customer pay for security enhancements and other bugs through
maintenance subscriptions. That way he pays in advance for mistakes you (or
others) will discover. If your customer is willing to pay even more for his
subscription he can get tailor made patches that fit his companies.
3. If your sales staff can't sell security in a time like this: fire the
entire sales department and hire a new one. They always manage to sell the
biggest nonsense and let us developers solve the problems they have created.
For once they should earn their living :-)
Don't forget to read the Dilbert cartoons. They are very educating on these
matters.
GRTNX from Holland,
Ton
-----Original Message-----
From: wirepair [mailto:wirepair@roguemail.net]
Sent: zondag 26 september 2004 23:40
To: secprog@securityfocus.com
Subject: Re: Charging customers on security
Charging for security of your own applications? That seems pretty backwards
to me. Why should
the client who buys your software with the expectation that it works and is
secure have to
pay for the fact that it isn't? So when my seat belts are broken, and my
tires randomly explode,
I have to pay the car manufacturer more money to get these features fixed?
duh?
-wire
On Thu, 23 Sep 2004 10:16:40 -0700
King Pang <kingpang@gmail.com> wrote:
Hello,
Our company developers Microsoft Solutions and I am responsible for
leading the security initiative in the corporation. I have spent a
lot of time and effort on how we should apply security guidance to our
product life cycle, such as adding threat modeling and doing security
review. But after I have convinced them that security is important,
we brought up a discussion on how we should charge our customers.
Many of you have customer experience. They want to pay the minimum
and have all the features. If they can choose not to pay, they won't.
If we tell them threat modeling will add x human-weeks of development
and we have to charge them x thousand dollars more, they won't pay.
Moreover, they expect the system to be secure enough and if there is
anything wrong, they would think that is our fault.
If any of you have any experience on dealing security with customers
and how you would deal with this issue, please throw in two cents. Any
comments or related articles would help too.
Warm Regards.
--
Visit Things From Another World for the best
comics, movies, toys, collectibles and more.
http://www.tfaw.com/?qt=wmf
