----- Original Message -----
From: "King Pang" <kingpang@gmail.com>
[snip]
I was thinking if it is possible to charge customers in different
security levels. Using username and password as an example: the basic
level would come with no encryptions such that username / password are
stored in plain text in the web.config. An intermediate level would
store them in the registry using aspnet_setreg. An advanced level
would blahâ (you get the idea). Would this work? And more
importantly, would the customers buy this idea?
[snip]
I don't think that many customers will buy that if it gets too detailed.
Most of them don't have the knowledge to understand the impact on security
when you present them a huge list of possible options. They will mostly
choose the cheap
solutions and eventually end up with an insecure version. And if you point
that
out, they will tell you: "Hey, but I picked 5 of 100 security items! That
should add
a considerable amount of security..."
Making it a choice out of two or three different overall security levels
could work
though. That is, the basic level would list all options throughout the
application
(no encryption during data transport, very basic authentication etc. )
and you could tell your customer, that this is a very basic and possibly
insecure version. So you could offer different levels where each one has a
complete security design. Even customers with very little security knowledge
will understand the difference between a "low security version" and a
"high security version".
Now you only have to do a good job in making the customer understand
the consequences of his decision. Add a maintenance contract for future
improvements
and that should be enough to keep your customers confident in their
decision.
And if they choose a low level one and there
is a security flaw that gets exploited someday, you can still point at your
contract
and say: "But you chose low level security. We warned you that it might be
risky".
Just my 2 cents
---
Andreas KrÃgersen
