Hi,

I'm administrator of an online game, located at www.shimlar.com
Although far from secure, we do our best to secure it as good as possible.
Why? Not because we're payed... it's a 100% free game.
We only do that to make OUR workload less.

Example? If someone claims he's hacked, we can reply: "Why aren't the admin
accounts never hacked? Change your password and keep it safe."
If we would have a lousy security, we would have to solve every little
problem...

I agree that security is the last thing developpers have time for, sad as it
seems.
That's why software shouldn't be sold... but rented.

At work, we develop a webapplication. If customers want extra's, we'll add
them, for a price.
It's a two way street: if we don't add, they won't pay the fee next year...
but if they don't pay, they have a lousy application.
Walking the thin line, but it works.

We already made our customers sign agreements that we didn't take
responsability if certain things weren't implemented.

Koen

-----Original Message-----
From: ovi [mailto:marioara.alexandru (at) tin (dot) it [email concealed]]
Sent: Monday, September 27, 2004 3:57 PM
To: secprog (at) securityfocus (dot) com [email concealed]
Subject: Re: Charging customers on security

It's ridiculous. What are you saying ?? If I as a client, don't pay you for
having a stable and secure program you sell me a buggy one???? Not even M$
is
thinking this way anymore, although they continue to sell buggy OS.

On Sunday 26 September 2004 22:40, wirepair wrote:
> Charging for security of your own applications? That seems pretty
backwards
> to me. Why should the client who buys your software with the expectation
> that it works and is secure have to pay for the fact that it isn't? So
when
> my seat belts are broken, and my tires randomly explode, I have to pay the
> car manufacturer more money to get these features fixed?
>
> duh?
> -wire
>
> On Thu, 23 Sep 2004 10:16:40 -0700
>
> King Pang <kingpang (at) gmail (dot) com [email concealed]> wrote:
> > Hello,
> >
> > Our company developers Microsoft Solutions and I am responsible for
> > leading the security initiative in the corporation. I have spent a
> > lot of time and effort on how we should apply security guidance to our
> > product life cycle, such as adding threat modeling and doing security
> > review. But after I have convinced them that security is important,
> > we brought up a discussion on how we should charge our customers.
> >
> > Many of you have customer experience. They want to pay the minimum
> > and have all the features. If they can choose not to pay, they won't.
> > If we tell them threat modeling will add x human-weeks of development
> > and we have to charge them x thousand dollars more, they won't pay.
> > Moreover, they expect the system to be secure enough and if there is
> > anything wrong, they would think that is our fault.
> >
> > If any of you have any experience on dealing security with customers
> > and how you would deal with this issue, please throw in two cents. Any
> > comments or related articles would help too.
> >
> > Warm Regards.
>
> --
> Visit Things From Another World for the best
> comics, movies, toys, collectibles and more.
> http://www.tfaw.com/?qt=wmf

[ reply ]