David Kennedy, CEO of the firm, revealed that he withheld many of the vulnerabilities because they were so severe that publishing them could have meant the complete destruction of the site. His executive summary read simply, "based on what I can see … I would say the website is either hacked already or will be soon."
I perused the entire report (PDF) this evening. In short, the site is not only a complete catastrophe from an operational perspective, it's also a hacker's dream.
Microsoft has one of the largest and most sophisticated security development, protection, and remediation processes today. This process has taken years to mature and places security at the forefront. With a website that is over 6 times more complex than the Microsoft operating system and developed in an extremely short period of time, there is and was no foreseeable way to build security into the website...
...there are clear indicators that even basic security was not built into the healthcare.gov website. TrustedSec is confident based on the exposures identified that the website has critical risks associated with it and security concerns should be remediated immediately...
...TrustedSec identified multiple severely critical exposures that it is not publishing publicly until they have been addressed.
...One of the more alarming trends is that the actual security testing of the website was deferred due to project delays. The website was launched without formal testing and with known risks around the security of the applications. Even further, there was little to no security built into the website or through the development. With the complexity of the website, this would indicate
that the website will suffer from significant security concerns for a long period of time unless significant action is taken to address the issues and flaws within it.
...It appears that individual user accounts and names are indexed via Google and can expose profile information of individuals that sign up on data.healthcare.gov.
Based on what I've seen, Healthcare.gov may be the single biggest magnet for identity thieves in world history.
And, come to think of it, that's another historic Obama first!