Make critical logic flows thread safe
Summary
Critical and high-value business logic flows must be thread safe and resistant to time-of-check and time-of-use (TOCTOU) race conditions.
Description
A race condition occurs when a code sequence requires exclusive access to a resource but another code sequence can modify the same resource before the first one has released it. This can have security implications if it occurs during high-value business logic flows, such as authentication, authorization and session management. Therefore, threads and concurrent processes must be managed carefully in order to prevent race conditions from arising.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Machine | 🔴 |
| Squad | 🟢 |
References
- CAPEC™-25. Forced deadlock
- CAPEC™-26. Leveraging race conditions
- CAPEC™-27. Leveraging race conditions via symbolic links
- CAPEC™-29. Leveraging time-of-check and time-of-use (TOCTOU) race conditions
- CAPEC™-30. Hijacking a privileged thread of execution
- CAPEC™-124. Shared resource manipulation
- CAPEC™-233. Privilege escalation
- CWE™-362. Concurrent execution using shared resource with improper synchronization ("race condition")
- CWE™-367. Time-of-check time-of-use (TOCTOU) race condition
- NIST Framework-ID_AM-3. Organizational communication and data flows are mapped
- Agile Alliance-9. Continuous attention to technical excellence and good design
- CERT-C-CON38-C. Preserve thread safety and liveness when using condition variables
- CERT-J-TSM00-J. Do not override thread-safe methods with methods that are not thread-safe
- MITRE ATT&CK®-M1013. Application developer guidance
- MITRE ATT&CK®-M1025. Privileged process integrity
- WASC-W_40. Insufficient process validation
- OWASP SCP-14. General coding practices
- CWE TOP 25-362. Concurrent execution using shared resource with improper synchronization (Race condition)
- OWASP ASVS-11_1_1. Business logic security
- SIG Core-L_2_1. Compliance
- SANS 25-22. Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
- CASA-1_11_3. Communications Architecture
Vulnerabilities
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.