• Browse topics
Sign up



For Snyk Enterprise customers with regional contracts. More info

Sign up

Insufficient encapsulation

Follow the principle of least privilege


Insufficient encapsulation: the basics

What is insufficient encapsulation?

Encapsulation is the practice of bundling related data and functions into a single unit, usually called an "object". Insufficient encapsulation occurs when an object's properties and methods are not properly contained within the object, allowing external code to access or modify them in unintended ways.

Insufficient encapsulation is generally considered to be a poor coding practice that can lead to vulnerabilities, rather than being a vulnerability in and of itself.

About this lesson

In this lesson, you will learn about vulnerabilities stemming from insufficient encapsulation and how to protect your applications against them. We will step into the shoes of an inexperienced developer at a bank who discovers and remediates an instance of insufficient encapsulation in their own application.


Getters and setters

The most common fix for insufficient encapsulation is to use accessor (getter and setter) methods, which allow you to control precisely how and when an object's properties and methods may be accessed or modified.

Insufficient encapsulation in action

Buddy was thrilled to land his first job as a developer at Saturn Bank right after graduating from university. He was assigned to work on a major project to overhaul the bank's outdated code that handled money transfers.

Insufficient encapsulation

  • STEP 1
  • STEP 2
  • STEP 3
  • STEP 4
  • STEP 5

Setting the stage

Buddy was thrilled to land his first job as a developer at a bank. He was assigned to work on a major project to overhaul the bank's outdated code.


The bank began to notice strange activity. Many accounts were suddenly able to draw money out of their account into negative values. This caused widespread panic among the bank's customers and led to a huge loss of trust in the bank's security and stability.

Buddy worked closely with the bank's security team to investigate the issue and ultimately discovered that the problem was caused by a lack of encapsulation in his code.

Insufficient encapsulation under the hood

So, what exactly went wrong here? Here's the relevant code snippet:

In this code, the balance variable in the account class is not sufficiently encapsulated because it can be directly accessed and modified by the transfer function, which is not intended behavior. Buddy naively wrote a transfer() function which accesses the balance directly, not considering that this variable could become negative.

Because he edited the balance directly, instead of using the withdraw() and deposit() functions, there are no checks in place to ensure that the sender account has enough funds to make the transfer before executing it.

What is the impact of insufficient encapsulation?

Insufficient encapsulation is not a vulnerability in itself, but it does encourage and allow poor coding practices. The impact will vary widely depending on the context and application.

Scan your code & stay secure with Snyk - for FREE!

Did you know you can use Snyk for free to verify that your code
doesn't include this or other vulnerabilities?

Scan your code

Insufficient encapsulation mitigation

When designing classes, it's best to follow the principle of least privilege. Treat all properties as private unless there is a specific need to make them protected or public. Then, write accessors (setter and getter functions) to access or modify the values. This way, the only way that properties in the class can be accessed is through the accessor functions, which may include validation and sanity checks.

The code example above could be mitigated by making the balance property private, meaning that it could only be accessed via the withdraw and deposit functions, which contain a check to ensure that the balance will not go below zero.

Then, the transfer function could be modified to use the withdraw and deposit functions, like this:


Test your knowledge!


When designing classes, it's best to follow the principle of least privilege. This means:

Keep learning

To learn more about insufficient encapsulation, check out the following links: