Security experts weighed in recently on Healthcare.gov and basically blasted the site's dismal lack of security. In a report presented to Congress on Thursday, Ed Skoudis, founder of Counter Hack, said that the site is a "breach waiting to happen," if it hasn't already. "These are exactly the kind of security flaws bad guys exploit in large-scale breaches," said Skoudis in the report.
"The findings disclose a wide range of issues that could cause serious harm to both healthcare.gov as well as any individual using the application," wrote Kevin Johnson of Secure Ideas. "These flaws are not even complex problems that would require advanced security knowledge to detect. Instead, they are issues that are detected with simple, standard techniques, of which any developer or QA professional should be aware."
Lares Consulting staff said the site contained numerous flaws that fail to meet the "bare minimum requirements" of The Open Web Application Security Project (OWASP) Top Ten, including: Injection, Broken Authentication and Session Management, Security Misconfigurations, Sensitive Data Exposure, Missing Function Level Access Control, Using Components with Known Vulnerabilities, and Invalidated Redirects and Forwards.
David Kennedy of TrustedSec said that the security review was politically unbiased and based solely on security issues. In addition to Kennedy, Skoudis, Johnson and Lares, statements were included from security consultants Kevin Mitnick and John Strand, who had similar concerns as to the basic security of the site.