The number of variables that could affect this issue, when presented as it
is, make it very difficult to arrive at any workable answer. Is this a
"shrink wrap" package that can/is marketed to a large customer base, or a
custom, single-customer solution? It sounds like a little of both with
references to "product life cycle" in with "weeks of development," and
there are different answers/considerations for each model. In retail, the
competitive edge alone may justify a particular level of cost absorption if
higher returns are available-- if you are losing sales, you may have to just
eat it with no cost increase to remain competitive from a feature/security
standpoint. To me, lots more info is necessary.
That being said, you did identify that the customer(s) "expect the system to
be secure enough." If you can define what your customer considers "secure
enough," then that may provide you with a baseline. Work up detailed vision
scope documents that clearly state what security controls and provisions are
included, and (sometimes more importantly) what is not included. You may be
able to identify many possible threats based on the development model, but
you'll need your customer's input to be able to qualify the potential risks
each might represent-- and it will be that level of risk to the customer
that will dictate the need and level of a given security control- and what
you can negotiate as an appropriate development fee to implement it...
A place to start, anyway...
T
----- Original Message -----
From: "King Pang" <kingpang@gmail.com>
To: <secprog@securityfocus.com>
Sent: Thursday, September 23, 2004 10:16 AM
Subject: Charging customers on security
Hello,
Our company developers Microsoft Solutions and I am responsible for
leading the security initiative in the corporation. I have spent a
lot of time and effort on how we should apply security guidance to our
product life cycle, such as adding threat modeling and doing security
review. But after I have convinced them that security is important,
we brought up a discussion on how we should charge our customers.
Many of you have customer experience. They want to pay the minimum
and have all the features. If they can choose not to pay, they won't.
If we tell them threat modeling will add x human-weeks of development
and we have to charge them x thousand dollars more, they won't pay.
Moreover, they expect the system to be secure enough and if there is
anything wrong, they would think that is our fault.
If any of you have any experience on dealing security with customers
and how you would deal with this issue, please throw in two cents. Any
comments or related articles would help too.
Warm Regards.
