In a letter dated May 1, Representative Lamar Smith of Texas, the Chair of the House Committee on Science, Space and Technology, asked Gene Dodaro, the Comptroller General of the Government Accountability Office (GAO) to expand an audit of the Healthcare.gov web site. As reported by Healthcareinfosecurity.com, Smith asked the GAO to add “penetration testing, source code analysis, a review of the developer supply chain, and an examination of secure code practices through the software development cycle” to its audit. Smith and fellow allies are right-on in their demand that the GAO’s audit of Healthcare.gov should include the underlying web application code, development practices and the code of third-party “supply chain” partners that contributed to the site.
For one thing, Smith’s request comes in the wake of the Heartbleed vulnerability, a dangerous security hole in OpenSSL, an open source component that was used in Healthcare.gov as well as millions of other web sites. Presumably, Smith’s call for a review of Healthcare.gov’s software supply chain is designed to identify other vulnerable components or modules that might be powering Healthcare.gov. The other point is that an audit of a high-profile web site that serves millions of Americans and collects sensitive personal and financial information absolutely must include both manual and automated penetration testing (how this site will withstand attacks) as well as a code audit - a hard look at the underlying code that makes up the site. According to Healthinformationsecurity.com, however, the GAO’s ongoing audit only mentions "an architecture review, vulnerability testing and examination of the monitoring and incident detection capabilities of the website." While we don’t know exactly what went into the Healthcare.gov stew, we know that the development of the site was chaotic. The site was woefully behind schedule when it launched in October – as evidenced by the immediate failure of the portal. The government has since fired the lead contractor, CGI Federal. Also, since the launch, security researchers who have audited parts of the site have raised concerns that it lacks proper security controls and even suggested that the site be shut down. David Kennedy of the firm TrustedSec warned that the site was “not developed with security in mind,” and therefore will take longer to fix. The problem, of course, is that the security problems with Healthcare.gov aren’t just technology problems – they’re evidence of larger cultural and management failings on the part of many large organizations. As this blog noted last week, security testing needs to be part and parcel of the development plan. And, when issues are discovered as part of that testing, there needs to be a plan in place to remediate them. Simply knowing about vulnerabilities isn’t useful if an organization lacks the ability or will to address them.