Friday, April 27, 2007

Why did no one say "that's not going live"?

The news (also post below) that the NHS MTAS system for doctors applications appears to have had merely the veneer of authentication and security is clearly something with massive and far reaching ramifications. Currently, MTAS and the NHS's line has been that this is a security breach rather and information has been available globally for only a brief period of time. However, this line is highly a suspect one given what was discovered yesterday. A system which can allow simple URL changes to access other user accounts is not the sort of thing that can "just happen briefly", systems don't work like that, they follow the logic and rules in their code. As such the implication is that this is far more likely to be a fundamental code design flaw.

There are so many questions that need to be asked of the NHS on this matter now. Firstly how did this webapp get from development to an Internet facing production system? What processes were in place to test and ensure it was secure, and assuming there were processes, why did they fail? Did the Department of Health provide the development company with security policies, principles, and practices? What are the Department of Health - and for that matter Government's - security policies, principles and practices in software design? At the very least the principle of "least privilege" should be applied to all application, yet in this case we seem to principle of "all privilege". Why?

Clearly security was a project deliverable, we know this because there is a "login" facility (which seems to just be a form). So, why wasn't it delivered? Why did the Project Manager and everyone think it had been delivered? How do we get our money back? That last point is important. Clearly the Government contracted out this job, who got the contract, how much was spent on it, and how do the Government recover the taxpayers money for a product that was not delivered as per scope? In fact, not being in scope is understatement given the failures.

One final question for the Government relates to the age of problem of development teams driving projects into production because of poorly defined demarcations of responsibility with systems. When this happens you often see so-called non-functional requirements, like proper session management, sane permission systems, and security, get overlooked. To protect against this requires a strong willed BOFH-style Operations team (and the odd hacker if possible) to carry out penetration tests, along with a hard-nosed Information Security officer to simple say "that's not going live". Where were they?

It is difficult to overstate the seriousness of what has happened here. If this online system is so fundamentally lacking in security to the point of allowing read/write access to other peoples' records, what does it say about the rest of the NHS IT programme? What does it say for the Government inter-departmental information sharing proposals? What does it say for the ID Card Register? More importantly, why did the Secretary of State do nothing when she knew about the problems weeks ago?

It is all well and good to implement IT, but it seems that what the Government should do right now is stop, freeze all their IT projects delivery dates, and start a full security audit of everything it has delivered or will deliver, along with a route and branch review of policy, procedure, process and practice.


Anonymous said...

UK Daily Pundit posts the following today.

The company running the website, Jobsite, was acquired in 2004 by Associated New Media; which, as all good bloggers will know, is a division of Associated Newspapers Ltd, the publishers of the Daily Mail.

Site not working this morning.

dizzy said...

Hmmm domain regsitration is certainly owned by them

Anonymous said...

Jobsite came back up at 0815 with a page providing its history, including this: 2003: Won contract to provide a national online recruitment service over the next 5 years for the National Health Service - the nation's biggest employer..

Anonymous said...

I've always believed that PRINCE, SSADM, ITIL & all the other HMG stuff about how IT should be done, was self-serving rubbish. They've also spent years trying to ram it down the throats of private enterprise. It's now all shown up to be just lip-service to good practice ideas. As usual, if this had happened in the private sector, there would have been resignations, sackings, breach-of-contract lawsuits, you name it. This is MONUMENTAL, not quite ENRON big, but really, really, bad. Once the IT press get their teeth into this it'll run for ages. With this shower probably nothing will happen, although the very least is that the Information Commissioner should be on the case.

Fitaloon said...

See my blog entry from last night for details on the ownership of the companies running/developing MTAS website here

Anonymous said...

I hope you meant that it is difficult to overstate the seriousness of the matter.

dizzy said...

yeah.. oops