Secure Ideas has tested hundreds, if not thousands, of applications over the years we have been in business. Based on this experience, along with our public classes and presentations around application security, Dave Kennedy of TrustedSec asked me to review the details of security flaws within HealthCare.gov. As part of this review, Dave provided a series of findings as well as supporting documentation. The result was a document that outlined my evaluation of the security and IT issues. This document, along with other security consultants’ evaluations was entered into the Congressional testimony Thursday January 16,2014. Below is a copy of that testimony.
As the CEO of Secure Ideas and a security professional for more than a decade, I was asked to review a series of security findings related to the healthcare.gov website. I was provided with a report of findings plus supporting documents that reveal a series of flaws that were found within the variety of pieces that make up the healthcare.gov application. In my professional opinion, these findings exhibit not only a basic lack of security testing, but also reflect signs that standard IT change management and validation practices are not being followed. These security findings are typical findings we see when an application has been written by developers who have not been introduced to basic security training, nor understand the importance of security within an application. The findings disclose a wide range of issues that could cause serious harm to both healthcare.gov as well as any individual using the application. These flaws are not even complex problems that would require advanced security knowledge to detect. Instead, they are issues that are detected with simple, standard techniques, of which any developer or QA professional should be aware.
From a security perspective, items such as the JSON injection and the lack of access controls for eligibility reports are commonly seen in applications not scrutinized by any type of security assessment. These are the types of flaws that a security assessment should find with little effort. Given the existence of these flaws for such a prolonged amount of time after the release of the application, it is a certainty that security testing is either not being performed at all, not being performed well, or the results of the testing are not being made part of remediation efforts. Applications containing low hanging fruit such as these flaws typically also contain much more serious issues.
From a basic IT perspective, the problems and concerns discovered also reflect a lack of change validation and functionality testing that should be performed regularly throughout an application’s lifecycle, an example of which is the error on the SPF record. Even in immature technology shops, when a feature or change is made to the system, such as when a DNS record is created, it is standard practice to verify that the change was made correctly. The fact that this SPF record is not correctly implemented in healthcare.gov indicates that no one verified the functionality.
These are the types of issues that security professionals would hope never to see in a government application. Given the industry standard application development lifecycle, these problems should simply not exist in this application. It is evidence of a lack of integrated security and quality assurance validation in the development lifecycle of healthcare.gov. Security and quality assurance are basic types of processes the federal government should consider essential and non-negotiable from its application developers.
My experience in the field of web application security is quite extensive. I am the CEO and a principle security consultant of Secure Ideas, LLC, an IT security consulting firm. I perform penetration tests and security reviews of web applications and infrastructure across many industries and government systems. Additionally, I am an instructor and author of multiple courses that teach web application security testing and secure development practices. These courses are used to train thousands of security professionals around the globe every year. Based on this experience, and the results of the testing I have been privy to, I believe it is imperative that the healthcare.gov application have a thorough assessment of both the security and the IT processes and controls surrounding it. Given the extent of use of the application, I also believe that after the initial security assessment is complete, continued regular assessments of the application are imperative to the maintenance and continued security of this vital application.
Kevin Johnson is the CEO of Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at firstname.lastname@example.org or visit the Secure Ideas – Professionally Evil site for services provided.