Exam CISSP topic 1 question 376 discussion

Page 947 if CISSP study guide discusses Encapsulation as a security method for Object oriented programming. Page 981 discusses polyinstantiation for database use.

From ISC2 self study guide 2022 "One of the key features in object oriented technology useful to security is polyinstantiation. Polyinstantiation may prevent inference possibilities by creating a new version of an object by replacing variables with other values. Essentially, it allows different versions of the same information to exist at different classification levels. Therefore, users at a lower classification level don't know of the existence of a higher classification level."

Encapsulation is a fundamental concept in object-oriented programming (OOP) that involves bundling data and methods into a single unit, or class. It's a way to store, hide, and manipulate data while giving the programmer more control over it.

Could answer be B based on below statement from CISSP offical textbook? Inheritance. The concept of a data class makes it possible to define subclasses of data objects that share some or all the main (or super) class characteristics. If security is properly implemented in the high-level class, then subclasses should inherit that security. The same is true of objects derived not from one class but from another object. The keys are to properly implement security in the high-level class objects so that the subclasses can inherit them properly. It is very important to create objects that have good security characteristics because these can be inherited by further objects.

polyinstantiation is database related - it's not part of object-oriented programming. I'm a developer with 30 yrs of programming and database development. I agree some of these questions have nothing to do with making you better at security, it's like every other vendor cert test, they ask you things that are text book applicable but not very useful on the job.

From the Study guide: Encapsulation thus provides for ways to bind sensiliive data with the methods that provide for trustworthy processing of that data. As a result, many OOP architectures inhere ,~ provide greater securi1ty featu res, which can be used by their systems desi:gners and builders to enhance systems and organizat ional! security postures

Answer D) Encapsulation Encapsulation term specifically mentioned on the CISSP official study guide on Page 942 for programming. POLYINSTANTIATION is wrong: it mainly refers to Database security POLYMORPHISM (method overloading/overriding) is wrong: it is a programming concept and not really a security method that enhances code reusability and flexibility by enabling objects of different types to be treated in a unified way. https://cissphemant.medium.com/cissp-domain-8-software-development-security-easy-notes-to-pass-cissp-certification-in-2023-24-acca3ef22528#:~:text=POLYINSTANTIATION%20%26%20POLYMORPHISM

D. Encapsulation Encapsulation is a fundamental concept in object-oriented programming (OOP) that involves bundling data (attributes) and methods (functions) that operate on that data into a single unit known as an object. It allows you to control access to the internal state of an object, protecting it from unauthorized modifications or direct external access. Encapsulation helps promote data integrity and security by enforcing access controls and ensuring that the object's internal workings remain hidden from external code. It's a key principle for building modular, maintainable, and secure software systems.

It's D. Even when searching for object-oriented programming and the answer word, the only information that comes up related to security is encapsulation.

More evidence for C: https://www.skillset.com/questions/what-object-oriented-programming-concept-is-when-two-objects-with-same-name-have-different-data-8932#:~:text=Polyinstantiation%20in%20computer%20science%20is,(identifier%2C%20primary%20key).

C. Polyinstantiation seems the right answer. "Polyinstantiation is a cybersecurity strategy where multiple instances of a shared resource are created to prevent a user without the correct privileges from seeing the more sensitive information." It prevents against an inference attack since different info is displayed based on classification level. https://cyberhoot.com/cybrary/polyinstantiation/#:~:text=Polyinstantiation%20is%20a%20cybersecurity%20strategy,seeing%20the%20more%20sensitive%20information. https://www.enjoyalgorithms.com/blog/encapsulation-in-oops Nothing about security, it's about flexibility in the design

Encapsulation is the only one that is defense-in-depth. Polyinstantiation provides multiple versions but that is not depth, just different instance levels.

I go with D Encapsulation is an important security method in object-oriented programming that involves encapsulating data and code into a single entity, and only allowing access to that entity through predefined interfaces. This helps to prevent unauthorized access to the data and code, and it also makes the code easier to maintain and modify.

The other options are fundamental characteristics of OOP/best practice that should be applied constantly. Polyinstantiation is the one we add depending on context/need.

Data security is the biggest concert of the 21st century. To provide basic data protection, encapsulation was implemented in object-oriented programming. Encapsulation is closely related to abstraction and data hiding, in one-word encapsulation is a protective shield. It is one of the fundamentals of OOP which hide data and structure of methods inside a class. It prevents unauthorized access to data and how it processing inside a class. https://www.geekboots.com/story/concept-of-encapsulation-in-oops

Development phase. This is when we "engineer in security and develop controls". Polyinstantiation is a way to engineer in security.