My Story Partners Podcasts Blog Resources Contact CISSP Training Program
Academy Login

Weekly CISSP Practice

Exam Questions

Scenario: During a code review, a developer suggests using obfuscation to secure sensitive algorithms in the application. What is the primary downside to this approach?

 

A.  Increases computational overhead

B.  Cannot be used in cloud environments

C.  Security through obscurity

D.  Increases storage requirements

 

Answer:  C

Explanation:

 

A. Increases Computational Overhead

Obfuscation often involves adding "dead code," renaming variables to nonsense strings, and complicating logic flow.

  • The Impact: While this can slightly slow down execution, modern processors handle this easily.

  • The Distinction: Performance is an operational concern, but the primary security flaw is that the algorithm is still technically "in the clear" once an attacker puts in the effort to de-obfuscate it.

B. Cannot be used in cloud environments

This is incorrect. Obfuscation is a transformation applied to the source code or binary itself.

  • The Reality: Whether that code runs on a local server, a mobile device, or a serverless function in the cloud (AWS Lambda, Google Cloud Functions) makes no difference to the obfuscation layer.

C. Security through Obscurity

This is the core CISSP concept that disqualifies obfuscation as a robust security measure.

  • Why it's the Answer: "Security through obscurity" assumes that if the inner workings of a system are hidden, the system is secure. However, a determined attacker with a debugger or disassembler can eventually reverse-engineer the logic.

  • The Rule: Real security should rely on Open Design (Kerckhoffs's Principle), which states that a system should be secure even if the attacker knows everything about how it works, as long as the "secret" (like a cryptographic key) remains protected.

D. Increases Storage Requirements

While adding extra "junk" code to confuse an attacker will technically increase the file size of the application, this is negligible in modern computing.

  • The Reality: The storage cost of a few extra kilobytes or megabytes is not a significant risk compared to the risk of an algorithm being stolen or bypassed.

Podcasts

Check out my weekly podcasts that delve deep into the relevant topics related to each of CISSP domains. In addition, I will go over specific questions and they can be interpreted and answered.

Listen Podcasts

CISSP Cyber Training Academy

Tired of not knowing how to study for the CISSP Exam? 

Check out the CISSP Cyber Training Academy to help you on your journey!

Learn about the Academy!

CISSP Cyber Training - YouTube

Check out my video collection on YouTube discussing all the details needed to help you pass the CISSP exam.   

Check out channel