|
|
Secure Programming
Charging customers on security Sep 23 2004 05:16PM King Pang (kingpang gmail com) (6 replies) RE: Charging customers on security Sep 27 2004 01:47PM Chris Matthews (cmatthews xn com) (1 replies) Re: Charging customers on security Sep 27 2004 04:36PM King Pang (kingpang gmail com) (3 replies) RE: Charging customers on security Sep 28 2004 09:00AM Koen Vingerhoets (koen vingerhoets ubench be) Re: Charging customers on security Sep 26 2004 10:40PM wirepair (wirepair roguemail net) (7 replies) Re: Charging customers on security Sep 27 2004 04:20PM Adam Shostack (adam homeport org) (1 replies) Re: Charging customers on security Sep 27 2004 03:18PM Jeff Williams (jeff williams aspectsecurity com) Re: Charging customers on security Sep 27 2004 01:57PM ovi (marioara alexandru tin it) (2 replies) Re: Charging customers on security Sep 28 2004 03:12AM Glynn Clements (glynn clements virgin net) (2 replies) Re: Charging customers on security Sep 28 2004 08:29PM Wesley Shields (wxs csh rit edu) (1 replies) Re: Charging customers on security Sep 29 2004 05:39PM Jesper Anderson (jesper pobox com) (1 replies) RE: Charging customers on security Sep 27 2004 04:24PM Koen Vingerhoets (koen vingerhoets ubench be) |
|
Privacy Statement |
>----- Original Message -----
>From: "King Pang" <kingpang (at) gmail (dot) com [email concealed]>
>
>[snip]
>
>I was thinking if it is possible to charge customers in different
>security levels. Using username and password as an example: the basic
>level would come with no encryptions such that username / password are
>stored in plain text in the web.config. An intermediate level would
>store them in the registry using aspnet_setreg. An advanced level
>would blahâ?¦ (you get the idea). Would this work? And more
>importantly, would the customers buy this idea?
>
>[snip]
I don't think that many customers will buy that if it gets too detailed.
Most of them don't have the knowledge to understand the impact on security
when you present them a huge list of possible options. They will mostly
choose the cheap
solutions and eventually end up with an insecure version. And if you point
that
out, they will tell you: "Hey, but I picked 5 of 100 security items! That
should add
a considerable amount of security..."
Making it a choice out of two or three different overall security levels
could work
though. That is, the basic level would list all options throughout the
application
(no encryption during data transport, very basic authentication etc. )
and you could tell your customer, that this is a very basic and possibly
insecure version. So you could offer different levels where each one has a
complete security design. Even customers with very little security knowledge
will understand the difference between a "low security version" and a
"high security version".
Now you only have to do a good job in making the customer understand
the consequences of his decision. Add a maintenance contract for future
improvements
and that should be enough to keep your customers confident in their
decision.
And if they choose a low level one and there
is a security flaw that gets exploited someday, you can still point at your
contract
and say: "But you chose low level security. We warned you that it might be
risky".
Just my 2 cents
---
Andreas Krügersen
[ reply ]