Kingdom: Time and State

Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time.

Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information.

Race Condition: Roaming Data Access

Abstract
The developer is using the RoamingFolder or RoamingSettings property of the Windows.Storage.ApplicationData class.
Explanation
The RoamingFolder and RoamingSettings properties get a container in the roaming app data store, which can then be used to share data between two more devices. By writing and reading objects stored in the roaming app data store, the developer increases the risk of compromise. This includes the confidentiality, integrity, and availability of the data, applications, and systems which share those objects through the roaming app data store.

Developers should refrain from using this functionality without first implementing the necessary technical controls.
References
[1] ApplicationData.RoamingFolder | roamingFolder property
[2] ApplicationData.RoamingSettings | roamingSettings property
[3] Standards Mapping - Common Weakness Enumeration CWE ID 362, CWE ID 367
[4] Standards Mapping - Common Weakness Enumeration Top 25 2022 [22] CWE ID 362
[5] Standards Mapping - Common Weakness Enumeration Top 25 2023 [21] CWE ID 362
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000366, CCI-003178
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-6 Configuration Settings (P1), SA-11 Developer Security Testing and Evaluation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-6 Configuration Settings, SA-11 Developer Testing and Evaluation
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.11.2 Business Logic Architectural Requirements (L2 L3), 1.11.3 Business Logic Architectural Requirements (L3), 11.1.6 Business Logic Security Requirements (L2 L3)
[11] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.3 - Terminal Software Attack Mitigation
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.3 - Terminal Software Attack Mitigation
[20] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 362
[21] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 362
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3630.1 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3630.1 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3630.1 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3630.1 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3630.1 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3630.1 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3630.1 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001995 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001995 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001995 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001995 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001995 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001995 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001995 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001995 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001995 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001995 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001995 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001995 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001995 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001995 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001995 CAT II
desc.structural.dotnet.race_condition_roaming_data_access