You could point out that microsoft and oracle are advertising the
security and reliability of their applications, and it may be a
competitive advantage if you devote resources to it.

Adam

On Sun, Sep 26, 2004 at 02:40:29PM -0800, wirepair wrote:
| Charging for security of your own applications? That seems pretty backwards
| to me. Why should
| the client who buys your software with the expectation that it works and is
| secure have to
| pay for the fact that it isn't? So when my seat belts are broken, and my
| tires randomly explode,
| I have to pay the car manufacturer more money to get these features fixed?
|
| duh?
| -wire
|
| On Thu, 23 Sep 2004 10:16:40 -0700
| King Pang <kingpang (at) gmail (dot) com [email concealed]> wrote:
| >Hello,
| >
| >Our company developers Microsoft Solutions and I am responsible for
| >leading the security initiative in the corporation. I have spent a
| >lot of time and effort on how we should apply security guidance to our
| >product life cycle, such as adding threat modeling and doing security
| >review. But after I have convinced them that security is important,
| >we brought up a discussion on how we should charge our customers.
| >
| >Many of you have customer experience. They want to pay the minimum
| >and have all the features. If they can choose not to pay, they won't.
| >If we tell them threat modeling will add x human-weeks of development
| >and we have to charge them x thousand dollars more, they won't pay.
| >Moreover, they expect the system to be secure enough and if there is
| >anything wrong, they would think that is our fault.
| >
| >If any of you have any experience on dealing security with customers
| >and how you would deal with this issue, please throw in two cents. Any
| >comments or related articles would help too.
| >
| >Warm Regards.
|
| --
| Visit Things From Another World for the best
| comics, movies, toys, collectibles and more.
| http://www.tfaw.com/?qt=wmf

[ reply ]