I agree that it is acceptable to charge for retrofitting a product with
security, however the implementation of threat modeling and security review
during the life cycle implies (or rather leads me to the inference) that the
OP was referring to best practices going forward as opposed to legacy
support.
Based on that inference I think that the idea of making application security
a "chargeable addon" is not just reprehensible, but negligent, and in fact,
I would use that as the basis for a civil suit if the a vendor brought a
low-cost insecure product which allowed my system to be compromised to
market while offering a secure version of the same product at a higher
price-point.
Obviously there is inherent value to security, but just as the automobile
industry has certain baseline safety requirements it must meet, it is time
for the industry as a whole to move towards the same type of requirements.
By this token, it may not be a requirement for VW to retrofit your beetle
with rear seat belts, but in certain legal jurisdications you may be
required to implement those safety features before you are allowed to sell
the vehicle.
With regards to the commercial viability of "charging for security", I think
that the only way you could get away with it is by following a secure design
methodology, performing security reviews, and implementing a pluggable
system for authentication and access controls.
Once you have done this you ship the base product with a simplistic access
control model (e.g. only two levels of access, admin, and user) and
authentication scheme (e.g. only allow username & password); you then
implement a variety access control modules (RBAC, MAC, etc) and
authentication models (smart card authentication, challenge-response, etc).
Yvan Boily
-----Original Message-----
From: Yoav Nir [mailto:ynir@checkpoint.com]
Sent: Monday, September 27, 2004 2:45 AM
To: secprog@securityfocus.com
Subject: RE: Charging customers on security
Sure you will, because you bought your software or car in the days
before security (in the case of software) and safety (in the case of
the car) was integrated into products.
I can't really expect Volkswagen to retrofit my 1973 Beetle with rear
seat belts, can I?
The next version will be more expensive, because the cost of doing
software (and cars) went up.
As for Mr. Pang's problem, they should put that in the base charge.
If the customer asks why there's this item ("x human-weeks for threat
modeling") you tell them that it is necessary for security. If they
say, "well, what if we give this up?" then it's your call whether you
tell them that (a) you won't put your company's name on anything that
wasn't properly developed, or
(b) OK, but there will be an extra charge if you later want us to fix
security problems.
In 1973 Volkswagen could make a beetle without seat belts.
In 1994 they're required to put in 5 seat belts and 2 airbags. If
they don't, then the paraplegic who got so in an accident will sue
them for negligence and win.
Negligence law still doesn't apply to software security bugs, but do
you want your company to be the first test case? In
1994 you need to make a real effort not to include security bugs.
Threat modeling is one way of showing due diligence.
-----Original Message-----
From: wirepair [mailto:wirepair@roguemail.net]
Sent: Monday, September 27, 2004 12:40 AM
To: secprog@securityfocus.com
Subject: Re: Charging customers on security
Charging for security of your own applications? That seems pretty
backwards to me. Why should the client who buys your software with the
expectation that it works and is secure have to pay for the fact that
it isn't? So when my seat belts are broken, and my tires randomly
explode, I have to pay the car manufacturer more money to get these
features fixed?
duh?
-wire
On Thu, 23 Sep 2004 10:16:40 -0700
King Pang <kingpang@gmail.com> wrote:
Hello,
Our company developers Microsoft Solutions and I am responsible for
leading the security initiative in the corporation. I have spent a
lot of time and effort on how we should apply security
guidance to our
product life cycle, such as adding threat modeling and
doing security
review. But after I have convinced them that security is
important,
we brought up a discussion on how we should charge our customers.
Many of you have customer experience. They want to pay the minimum
and have all the features. If they can choose not to pay,
they won't.
If we tell them threat modeling will add x human-weeks of
development
and we have to charge them x thousand dollars more, they won't pay.
Moreover, they expect the system to be secure enough and if
there is
anything wrong, they would think that is our fault.
If any of you have any experience on dealing security with
customers
and how you would deal with this issue, please throw in two
cents. Any
comments or related articles would help too.
Warm Regards.
--
Visit Things From Another World for the best comics, movies, toys,
collectibles and more.
http://www.tfaw.com/?qt=wmf
