2017_%28en%29.pdf.pdf.

               In the sections that follow, we cover common sources of attack or
               vulnerabilities of security architectures that can be attributed to

               failures in design, implementation, prerelease code cleanup, or out-
               and-out coding mistakes. Although they’re avoidable, finding and
               fixing such flaws requires rigorous security-conscious design from the
               beginning of a development project and extra time and effort spent in
               testing and analysis. This helps to explain the often lamentable state of

               software security, but it does not excuse it!
               Humans will never write completely secure (flawless) code. Source

               code analysis tools implemented throughout the appdev cycle will
               minimize the number of flaws in the production release, and the flaws
               identified prior to production release will cost much less to mitigate.
               The concepts of code review and testing are covered in Chapter 15,
               “Security Assessment and Testing.”


               Trusted Recovery

               When an unprepared system crashes and subsequently recovers, two

               opportunities to compromise its security controls may arise. Many
               systems unload security controls as part of their shutdown procedures.
               Trusted recovery ensures that all security controls remain intact in the
               event of a crash. During a trusted recovery, the system ensures that
               there are no opportunities for access to occur when security controls
               are disabled. Even the recovery phase runs with all controls intact.

               For example, suppose a system crashes while a database transaction is

               being written to disk for a database classified as top secret. An
               unprotected system might allow an unauthorized user to access that
               temporary data before it gets written to disk. A system that supports
               trusted recovery ensures that no data confidentiality violations occur,
               even during the crash. This process requires careful planning and
               detailed procedures for handling system failures. Although automated

               recovery procedures may make up a portion of the entire recovery,
               manual intervention may still be required. Obviously, if such manual
               action is needed, appropriate identification and authentication for
               personnel performing recovery is likewise essential.