Gartner Blog Network

How secure is

by Avivah Litan  |  October 31, 2013  |  2 Comments

A posting by blogger Ben Simo, a highly-experienced software tester, brings up many important and valid security issues with Ben has done a good job documenting some of the most egregious issues with that are definitive proof of the fact that security will continue to be a major issue for the Obamacare website. See

More fundamentally, it’s important to note that this could very well be a security disaster in the making because of the following facts:

a) The marketplace is run by an estimated 500 million lines of code which is about 10 times the lines of code in Windows XP. The mammoth code is managed by multiple system administrators and different components reside on separate servers, according to developer Gabriel Harrop who examined the software.

It’s simply too big a program to manage from a security perspective, given the level of expertise and coordination assigned to the project as we have come to know it. I’ve also been informed by developers who examined the application that it isn’t exactly a model of slick coding practices. For example, I was told that rather than build an array to compute 40 variables, someone cut and paste a program to repeat a task forty times.

b) We all know about the performance problems that have surfaced because of the multiple disjointed and uncoordinated groups of contractors who worked to create different components of As security vulnerabilities are discovered, it will be very difficult to push out patches to the marketplace and get them properly tested to ensure that all the disjointed parts work together securely. After all, even CMS admitted they didn’t have time to properly vet the security of the initial code set!

c) is surely a prime target for hackers. There is an abundance of sensitive personal information that is being submitted that hackers will want to steal. Based on issues already documented by Ben and others, this will be a much easier hacking target than banks, retailers, payment processors and other enterprises where the crooks are already succeeding, despite billions of dollars being spent on security in order to be compliant with government regulations and the rules of the payment card networks (e.g. PCI).

d) Finally we already know that the knowledge based authentication system that is using to verify applicant identities has been systematically compromised by identity theft gangs. See

e) Who’s supervising and examining Are there any security standards set for this critically important and sensitive website?

Frankly, I think the Obama Administration should cut their losses and fess up and admit they need to get the system overhauled and rewritten. And that is not going to take one or two months, as they say. The best they will be able to do in that timeframe is fix the performance issues. The security issues are surely much more complex – you can’t just throw horsepower at them. You need intelligent software and layers of defense. That takes time to bake in.

You can be sure the Republicans are going to pounce on any bug they can find. Hopefully they won’t be able to find any really serious ones that compromise the confidentiality of Americans already struggling to get health care insurance.


Avivah Litan
VP Distinguished Analyst
19 years at Gartner
34 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Ms. Litan's areas of expertise include endpoint security, security analytics for cybersecurity and fraud, user and entity behavioral analytics, and insider threat detection. Read Full Bio

Thoughts on How secure is

  1. […] Read the entire post: […]

  2. […] a lot that has been said or written about security that you could find for yourself online (Read this, this). But, according to what I know this website is not secure to the level that you or I are […]

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.