King Pang wrote:
I was thinking if it is possible to charge customers in different
security levels. Using username and password as an example: the basic
level would come with no encryptions such that username / password are
stored in plain text in the web.config. An intermediate level would
store them in the registry using aspnet_setreg. An advanced level
would blah. (you get the idea). Would this work? And more
importantly, would the customers buy this idea?
If I were building customized per-client solutions, then yes, tiering
your level of security in each product might be one way of doing
business. I personally like what another commenter said, to just
include the whole security deal in by default. It looks better from the
get-go because you're concerned about the security of a product, and it
doesn't exclude the possibility of a client requesting that security
take a back-seat to price.
Or, is it possible to introduce a third party company to do security
audit on the solution to be delivered, just like a car must pass some
safety test. In this case, will the customer be willing to pay for
it? Any experience?
While I don't have any experience with this, I would think that this
would be a matter of how you bill your client. If the client is paying
for expenses (such as this security audit) then sure. I would suspect
that most clients would react negatively to having to pay "extra" for
security.
Thanks for all comments. All of you have been very helpful.
No problem. :) Remember that it all comes down to perception. If the
client feels that you're trying to cheat them by adding on to the cost
of the software to drive up the price, then they will (rightly) be wary
of doing business with you. If they feel that you are offering your
best solution to the problem and they have control to modify what goes
in and out, then you maintain integrity and are always free to walk from
the deal if you feel that it will not reflect well on your reputation
for building good, high quality software.
Cheers,
Chris
