The news (also post below) that the NHS MTAS system for doctors applications appears to have had merely the veneer of authentication and security is clearly something with massive and far reaching ramifications. Currently, MTAS and the NHS's line has been that this is a security breach rather and information has been available globally for only a brief period of time. However, this line is highly a suspect one given what was discovered yesterday. A system which can allow simple URL changes to access other user accounts is not the sort of thing that can "just happen briefly", systems don't work like that, they follow the logic and rules in their code. As such the implication is that this is far more likely to be a fundamental code design flaw.
There are so many questions that need to be asked of the NHS on this matter now. Firstly how did this webapp get from development to an Internet facing production system? What processes were in place to test and ensure it was secure, and assuming there were processes, why did they fail? Did the Department of Health provide the development company with security policies, principles, and practices? What are the Department of Health - and for that matter Government's - security policies, principles and practices in software design? At the very least the principle of "least privilege" should be applied to all application, yet in this case we seem to principle of "all privilege". Why?
Clearly security was a project deliverable, we know this because there is a "login" facility (which seems to just be a form). So, why wasn't it delivered? Why did the Project Manager and everyone think it had been delivered? How do we get our money back? That last point is important. Clearly the Government contracted out this job, who got the contract, how much was spent on it, and how do the Government recover the taxpayers money for a product that was not delivered as per scope? In fact, not being in scope is understatement given the failures.
One final question for the Government relates to the age of problem of development teams driving projects into production because of poorly defined demarcations of responsibility with systems. When this happens you often see so-called non-functional requirements, like proper session management, sane permission systems, and security, get overlooked. To protect against this requires a strong willed BOFH-style Operations team (and the odd hacker if possible) to carry out penetration tests, along with a hard-nosed Information Security officer to simple say "that's not going live". Where were they?
It is difficult to overstate the seriousness of what has happened here. If this online system is so fundamentally lacking in security to the point of allowing read/write access to other peoples' records, what does it say about the rest of the NHS IT programme? What does it say for the Government inter-departmental information sharing proposals? What does it say for the ID Card Register? More importantly, why did the Secretary of State do nothing when she knew about the problems weeks ago?
It is all well and good to implement IT, but it seems that what the Government should do right now is stop, freeze all their IT projects delivery dates, and start a full security audit of everything it has delivered or will deliver, along with a route and branch review of policy, procedure, process and practice.