There's plenty of programs that are secure in and of them selves but
which can be deployed in an insecure manner.
Many people pay to have their car maintained so that it's safe to
drive, including checking the tire pressure to make sure they don't
randomly blow out.
--
Michael Conlen
On Sep 26, 2004, at 6:40 PM, wirepair wrote:
Charging for security of your own applications? That seems pretty
backwards to me. Why should
the client who buys your software with the expectation that it works
and is secure have to
pay for the fact that it isn't? So when my seat belts are broken, and
my tires randomly explode,
I have to pay the car manufacturer more money to get these features
fixed?
duh?
-wire
On Thu, 23 Sep 2004 10:16:40 -0700
King Pang <kingpang@gmail.com> wrote:
Hello,
Our company developers Microsoft Solutions and I am responsible for
leading the security initiative in the corporation. I have spent a
lot of time and effort on how we should apply security guidance to our
product life cycle, such as adding threat modeling and doing security
review. But after I have convinced them that security is important,
we brought up a discussion on how we should charge our customers.
Many of you have customer experience. They want to pay the minimum
and have all the features. If they can choose not to pay, they won't.
If we tell them threat modeling will add x human-weeks of development
and we have to charge them x thousand dollars more, they won't pay.
Moreover, they expect the system to be secure enough and if there is
anything wrong, they would think that is our fault.
If any of you have any experience on dealing security with customers
and how you would deal with this issue, please throw in two cents. Any
comments or related articles would help too.
Warm Regards.
--
Visit Things From Another World for the best
comics, movies, toys, collectibles and more.
http://www.tfaw.com/?qt=wmf
--
Michael Conlen
meconlen@obfuscated.net
