I just finished reading a provocative piece about the Obamacare website in, ironically enough, Time’s “SWAMPLAND” edition. In it, Michael Scherer argues that the healthcare website isn’t insufficient because of overwhelming traffic, but because the website features bad coding. “The basic architecture of the site, built by federal contractors overseen by the Department of Health and Human Services, was flawed in design, poorly tested and ultimately not functional,” Scherer states.
This morning, developers are testifying to Congress to explain the security and vulnerabilities and inoperability of some of the site’s features. It will be very interesting to follow the progress of this hearing. I’m curious:
- Which tools did the developers use to assess vulnerabilities? Paid or open source?
- How often was the software tested? Could continuous assessment have improved the end result?
- Besides the functional misfires and customer frustrations (which are significant), are there even more dangerous vulnerabilities lurking in the code?
I hope the national coverage heightens awareness of the importance of code review and vulnerability assessments. The security guys and gals (I am in Texas right now, so imagine this with a Texas ‘twang) already understand how important testing is. But the average developer without security training may not. Let this spotlight on Obamacare’s website be a call to action to developers…assess your code before you deploy to production to improve security and avoid bad PR.
Y’all take care.