https://www.secdev.uk/blog/tags/cwe-362/ Recent content in CWE-362 on guy@secdev.uk Hugo en-gb Guy Dixon | guy@secdev.uk Sat, 06 Dec 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-12-06-the-art-of-the-subtle-bug/ Sat, 06 Dec 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-12-06-the-art-of-the-subtle-bug/ <p>The vulnerabilities that cause real breaches are rarely the textbook examples. They&rsquo;re the ones that survive multiple rounds of code review, pass SAST scans, and sit in production for years. The more I researched these nuanced bugs, the more I realised what makes them dangerous: they exploit assumptions reviewers make about language behaviour, framework internals, or data flow boundaries. This post dissects the patterns that make a vulnerability subtle and walks through real examples that show why even experienced reviewers still miss them.</p> https://www.secdev.uk/blog/technology/2025-09-27-go-security-goroutines-errors/ Sat, 27 Sep 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-09-27-go-security-goroutines-errors/ <p>Go&rsquo;s simplicity is its greatest strength and, I&rsquo;d argue, its most dangerous security property. The language has no exceptions, no generics-based abstractions (until recently), and no implicit behaviour, everything is explicit. But that explicitness creates its own class of vulnerabilities: unchecked errors that silently skip security validation, goroutine races on shared state, HTTP client defaults that follow redirects into internal networks, and string handling patterns that bypass input validation. In this post, I want to walk through the Go-specific anti-patterns that lead to security vulnerabilities, from the error that nobody checked to the goroutine that corrupted the authentication cache. The more I dug into Go&rsquo;s security landscape, the more I realised these bugs are subtle precisely because the language feels so straightforward.</p> https://www.secdev.uk/blog/technology/2025-08-16-race-conditions/ Sat, 16 Aug 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-08-16-race-conditions/ <p>Race conditions (CWE-362) are, in my opinion, the most insidious class of security bugs you&rsquo;ll encounter. They occur when the behaviour of a program depends on the relative timing of concurrent operations, and at least one of those operations modifies shared state. The window between a check and a subsequent use of the checked value, the classic time-of-check to time-of-use (TOCTOU) pattern, is the most exploited form, but races also show up in counter increments, balance updates, session management, and file operations. What makes race conditions uniquely dangerous is their non-determinism: the bug may not manifest in thousands of test runs, then appear under production load when two requests arrive within microseconds of each other. I want to walk through race conditions in Python, Go, Java, and Rust, from the obvious unprotected counter to the subtle channel-based ordering assumption that passes every test but fails under contention.</p>