"The findings disclose a wide range of issues that could cause serious harm to both healthcare.gov as well as any individual using the application," wrote Kevin Johnson of Secure Ideas. "These flaws are not even complex problems that would require advanced security knowledge to detect. Instead, they are issues that are detected with simple, standard techniques, of which any developer or QA professional should be aware."
Lares Consulting staff said the site contained numerous flaws that fail to meet the "bare minimum requirements" of The Open Web Application Security Project (OWASP) Top Ten, including: Injection, Broken Authentication and Session Management, Security Misconfigurations, Sensitive Data Exposure, Missing Function Level Access Control, Using Components with Known Vulnerabilities, and Invalidated Redirects and Forwards.
David Kennedy of TrustedSec said that the security review was politically unbiased and based solely on security issues. In addition to Kennedy, Skoudis, Johnson and Lares, statements were included from security consultants Kevin Mitnick and John Strand, who had similar concerns as to the basic security of the site.