Wednesday, November 06, 2013

"We're gonna need a bigger boat"

That's from Jaws after Roy Scheider sees how big the shark is.  A similar reaction is sweeping through IT professionals as they process Kathleen Sebelius's latest testimony to the Senate Finance Committee regarding the Healthcare.gov funcionality.  As James Taranto points out:

An expert assessment comes from Robert Charette, a technology risk-management consultant, in an interview with Willie Jones of IEEE Spectrum (IEEE is the Institute of Electrical and Electronics Engineers):
Jones: Last week, . . . Sebelius assured her inquisitors at a congressional hearing that her department has brought in experts that have a handle on the problems the site is facing. How confident should we be in Sebelius' assurances?

Charette: Not very. They're talking about dozens and dozens of items on their punch list—both in terms of functionality and performance issues. They've got just over 30 days to get through the list. Let's just say that there are 30 items on it. What do you think is the actual probability of getting through testing them, making sure that the system works end to end and that there are no security holes all in a single month? How do you expect to get that done, knowing that every time you make a fix, there's a high probability that you're going to introduce an error somewhere else?

Jones: Let's spin this forward a bit. How do you think this next month will actually go?

Charette: They said that they needed five weeks at the minimum to test it, and they're still making all these changes. Where will that five-week window fit? If they had stopped right then and tested it for five weeks, they wouldn't have been able to finish on time. And five weeks was probably the absolute minimum they needed, assuming everything worked. They're patching the system as they go along and as Sebelius admitted, they're doing very local unit tests (which, by the way, is what got them into this mess in the first place, with each contractor saying, "Well, my stuff works"). If they discover something major, they may have to run the whole system test again.

Jones: So they'll most likely gain functionality, but security is not a given.

Charette: Yes, unfortunately. It would be very surprising if there isn't some type of breach, either at the federal or state level, by this time next year.

And this pessimistic assessment ignores the fact that this system is interfacing with literally hundreds of other systems from hundreds of other companies any one of which could be busted by only one fix.  And according to la Sebelius how many 'fixes' are we talking about?  "Hundreds"
As I said before: we're gonna need a bigger boat.


No comments:

Post a Comment