Sure you will, because you bought your software or car in the days before
security (in the case of software) and safety (in the case of the car) was
integrated into products.
I can't really expect Volkswagen to retrofit my 1973 Beetle with rear seat
belts, can I?

The next version will be more expensive, because the cost of doing software
(and cars) went up.

As for Mr. Pang's problem, they should put that in the base charge. If the
customer asks why there's this item ("x human-weeks for threat modeling")
you tell them that it is necessary for security. If they say, "well, what
if we give this up?" then it's your call whether you tell them that (a) you
won't put your company's name on anything that wasn't properly developed, or
(b) OK, but there will be an extra charge if you later want us to fix
security problems.

In 1973 Volkswagen could make a beetle without seat belts. In 1994 they're
required to put in 5 seat belts and 2 airbags. If they don't, then the
paraplegic who got so in an accident will sue them for negligence and win.
Negligence law still doesn't apply to software security bugs, but do you
want your company to be the first test case? In 1994 you need to make a
real effort not to include security bugs. Threat modeling is one way of
showing due diligence.

-----Original Message-----
From: wirepair [mailto:wirepair (at) roguemail (dot) net [email concealed]]
Sent: Monday, September 27, 2004 12:40 AM
To: secprog (at) securityfocus (dot) com [email concealed]
Subject: Re: Charging customers on security

Charging for security of your own applications? That seems pretty backwards
to me. Why should
the client who buys your software with the expectation that it works and is
secure have to
pay for the fact that it isn't? So when my seat belts are broken, and my
tires randomly explode,
I have to pay the car manufacturer more money to get these features fixed?

duh?
-wire

On Thu, 23 Sep 2004 10:16:40 -0700
King Pang <kingpang (at) gmail (dot) com [email concealed]> wrote:
> Hello,
>
> Our company developers Microsoft Solutions and I am responsible for
> leading the security initiative in the corporation. I have spent a
> lot of time and effort on how we should apply security guidance to our
> product life cycle, such as adding threat modeling and doing security
> review. But after I have convinced them that security is important,
> we brought up a discussion on how we should charge our customers.
>
> Many of you have customer experience. They want to pay the minimum
> and have all the features. If they can choose not to pay, they won't.
> If we tell them threat modeling will add x human-weeks of development
> and we have to charge them x thousand dollars more, they won't pay.
> Moreover, they expect the system to be secure enough and if there is
> anything wrong, they would think that is our fault.
>
> If any of you have any experience on dealing security with customers
> and how you would deal with this issue, please throw in two cents. Any
> comments or related articles would help too.
>
> Warm Regards.

--
Visit Things From Another World for the best
comics, movies, toys, collectibles and more.
http://www.tfaw.com/?qt=wmf

[ reply ]