[Home] [Headlines] [Latest Articles] [Latest Comments] [Post] [Mail] [Sign-in] [Setup] [Help] [Register]
Status: Not Logged In; Sign In
United States News Title: Is My Date on Healthcare.gov Secure? - Committee on Science (19 Nov 2013) Is My Date on Healthcare.gov Secure? - Committee on Science (19 Nov 2013) At page 30 of PDF, page 1 of David Kennedy/TrustedSec Security Analysis TrustedSec performed an open-source analysis of the security around the healthcare.gov website. This report contains information regarding the concerns for the security around the website and the ability to keep United States citizen information protected to an adequate level. TrustedSec did not perform analysis through hacking techniques, as our organization was not authorized to perform offensive activities against the site. Instead, TrustedSec utilized information readily available on the Internet as well as analysis of information presented back from the website to perform the assessment. What this analysis shows us is that as an attacker, there are known exposures in the healthcare.gov website today that could lead to significant compromise of the website and information. Additionally, the website is integrated into multiple agencies including some of the largest collections of United States citizen data this includes the Internal Revenue Service (IRS) and other federal agencies. Based on our evaluation of the website, we have serious concerns over the security of the website and the ability to protect information. This document will explain our approach, what was identified, and the future roadmap to ensuring that the website and its integration into multiple agencies can be successful and secure. We appreciate the opportunity to present this information to government officials and look forward to our testimony on November 19, 2013. Sincerely, David Kennedy At page 44 of the PDF, page 15 of David Kennedy/TrustedSec Security Analysis Complex websites such as this are bound to have exposures and glitches, however it appears based on the sheer number of exposures and the lack of formal testing around security that there are systemic and serious concerns with the healthcare.gov website. Based on our experience, in large web applications such as this, there are a few options available in order to address the security concerns with the website. Option 1: Version 2.0 (Highly Recommended) The website that is currently up is functioning in some capacity. The overly complex solution designed for the integration into state exchanges and other areas for real-time display of healthcare programs should be re-written from a code optimization standpoint. In something this complex, if design and code quality werent created from the start, the fixes that we see now will only be small patches for a much larger problem. The first option would be to write a second healthcare.gov website in conjunction with whats currently up and running. This version 2.0 would be completely redesigned from the ground up with security and proper development processes established. Option 2: Shut Down and Fix If the website is shut down for the time being in order to address the situation, this may allow a more rapid response to addressing security concerns with the website. A penetration test which is apparently in process on the website is not recommended at this point. A full source code review and dynamic logic testing with use cases on the application should be considered for a more in-depth review. This will alleviate some of the major security issues but based on the complexity and size, the remediation process will span seven to twelve months at a minimum. Option 3: Fix in Production The term production refers to a site or application that is already up and running with normal user traffic. In this case, significant changes to a production environment need to undergo extensive testing before promotion from a QA/Dev/Test scenario. In a formal process, coding changes would occur, be tested in a formal setting in a non-production instance and then be promoted to production, or the live site. This process definitely slows down the ability to introduce rapid fixes to the website as it could dramatically impact the end-user experience and functionality of the website. Post Comment Private Reply Ignore Thread Top Page Up Full Thread Page Down Bottom/Latest
#1. To: All (#0)
Today, Henry Chao testified that 30 to 40% of the Federal website has not been built. That includes the part that processes tax credit payments to insurers.
|
[Home] [Headlines] [Latest Articles] [Latest Comments] [Post] [Mail] [Sign-in] [Setup] [Help] [Register]
|