The Certified SOA Security Specialist S90.20 exam, administered by Arcitura Education, validates your ability to design, implement, and manage security controls across service-oriented and microservice architectures. This exam is intended for architects, security professionals, and developers who need to demonstrate hands-on competency in SOA security practices. The SOA Security Lab component tests practical application of security concepts in real-world scenarios. This page outlines the exam structure, core topics, and effective preparation strategies to help you succeed.
Use this topic map to guide your study for Arcitura Education S90.20 (SOA Security Lab) within the Certified SOA Security Specialist path.
The S90.20 exam uses multiple item types to assess both conceptual knowledge and practical decision-making in SOA security contexts. Questions progress in difficulty and require you to apply security principles to real-world architectural challenges.
Effective preparation maps the five core topic areas to a structured study schedule, allowing you to build foundational knowledge before tackling advanced scenarios and hands-on labs. Allocate time proportionally: spend more hours on Advanced Security and the Security Lab, since these carry greater weight on the exam.
Strengthen your preparation with up-to-date resources from validexamdumps.com. These materials align to S90.20 and cover practical scenarios with clear explanations.
Visit the exam page to download the PDF, Online Practice Test, or get a Bundle Discount offer for both formats: SOA Security Lab.
Advanced Security for Services, Microservices & SOA and the Security Lab for Services, Microservices & SOA account for approximately 50-60% of exam content. These sections emphasize hands-on application of security controls, threat modeling, and incident response rather than basic definitions. Allocate study time accordingly, with deeper focus on configuration tasks and real-world scenario analysis.
Fundamental SOA and Services & Microservices provide the architectural foundation; Microservice Technology Concepts introduce the platforms and tools you'll use. Fundamental Security establishes core controls (authentication, encryption), while Advanced Security addresses how to apply these controls across complex, distributed systems. The Security Lab ties everything together by requiring you to implement and validate security in a working environment, mirroring actual project workflows.
Hands-on experience is critical for the S90.20 exam, especially the Security Lab section. Prioritize labs that involve setting up mutual TLS between services, implementing OAuth 2.0 or SAML flows, and configuring API gateway and service mesh security policies. If possible, practice in containerized environments (Docker, Kubernetes) since these are common in modern SOA deployments.
Many candidates confuse authentication with authorization or overlook the differences between service-to-service and client-to-service security patterns. Others underestimate the importance of encryption in transit versus at rest, or fail to consider how service mesh security policies interact with network policies. Review scenario-based questions carefully and ensure you understand the "why" behind each control, not just the "what."
In the final week, shift from learning new topics to reinforcing weak areas and building test-day confidence. Run two full-length timed practice tests, review all incorrect answers, and create a one-page reference sheet of key security patterns and configuration steps. Avoid cramming new material; instead, focus on pacing, question interpretation, and validating that you can apply security concepts under time pressure.
Service Consumer A sends a request to Service A (1). Service A replies with an acknowledgement message (2) and then processes the request and sends a request message to Service B (3). This message contains confidential financial data. Service B sends three different request messages together with its security credentials to Services C .D .and E (4, 5, 6). Upon successful authentication, Services C .D .and E store the data from the message in separate databases (7.8, 9). Services B .C .D, and E belong to Service Inventory A, which further belongs to Organization B .Service Consumer A and Service A belong to Organization A .Organization B decides to create a new service inventory (Service Inventory B) for services that handle confidential data. Access to these services is restricted by allocating Service Inventory B its own private network. Access to this private network is further restricted by a dedicated firewall. Services C, D and E are moved into Service Inventory B, and as a result. Service B can no longer directly access these services. How can this architecture be changed to allow Service B to access Services C, D and E in a manner that does not jeopardize the security of Service Inventory B while also having a minimal impact on the service composition's performance?

Service Consumer A sends a request message to Service A (1), after which Service A sends a request message with security credentials to Service B (2). Service B authenticates the request and, if the authentication is successful, writes data from the request message into Database B (3). Service B then sends a request message to Service C (4), which is not required to issue a response message. Service B then sends a response message back to Service A (5). After processing Service B's response, Service A sends another request message with security credentials to Service B (6). After successfully authenticating this second request message from Service A, Service B sends a request message to Service D (7). Service D is also not required to issue a response message. Finally, Service B sends a response message to Service A (8), after which Service A records the response message contents in Database A (9) before sending its own response message to Service Consumer A (10).

Services A and B use digital certificates to support message integrity and authentication. With every message exchange between the two services (2, 5, 6, 8), the digital certificates are used. It has been determined that both Databases A and B are vulnerable to malicious attackers that may try to directly access sensitive data records. Furthermore, performance logs have revealed that the current exchange of digital certificates between Services A and B is unacceptably slow. How can the integrity and authenticity of messages exchanged between Services A and B be maintained, but with improved runtime performance - and - how can Databases A and B be protected with minimal additional impact on performance?
Service A is a publically accessible service that provides free multimedia retrieval capabilities to a range of service consumers. To carry out this functionality, Service A is first invoked by Service Consumer A (1). Based on the nature of the request message received from Service Consumer A, Service A either invokes Service B or Service C .When Service B is invoked by Service A (2A) it retrieves data from publicly available sources (not shown) and responds with the requested data (3A). When Service C is invoked by Service A (2B) it retrieves data from proprietary sources within the IT enterprise (not shown) and responds with the requested data (3B). After receiving a response from Service B or Service C, Service A sends the retrieved data to Service Consumer A (4). Service B does not require service consumers to be authenticated, but Service C does require authentication of service consumers. The service contract for Service A therefore uses WS-Policy alternative policies in order to express the two different authentication requirements to Service Consumer A .When Service Consumer A sends a request message (1), Service A determines whether the request requires the involvement of Service C and then checks to ensure that the necessary security credentials were received as part of the message. If the credentials provided by Service Consumer A are verified. Service A creates a signed SAML assertion and sends it with the request message to Service C (2B) This authentication information is protected by public key encryption However, responses to Service Consumer A's request message (3B, 4) are not encrypted for performance reasons. The owner of Service C is planning two changes to the service architecture:
1. A fee will be charged to Service Consumer A (or any service consumer) using Service C .2. The response messages issued by Service C need to be secured in order to prevent unauthorized access. An analysis of Service C's usage statistics reveals that a group of service consumers specifically request the retrieval of multimedia data on a frequent basis. To promote the usage of Service C to these types of service consumers, the owner of Service C plans to offer a special discount by allowing unlimited multimedia retrievals for a fixed monthly price. Service consumers that do not subscribe to this promotion will need to pay for each request individually. It is anticipated that the new promotion will significantly increase the usage of Service C .The owner of Service C therefore wants to ensure that the security added to the response messages has a minimal impact on Service C's runtime performance. What steps can be taken to fulfill these requirements?

Service A exchanges messages with Service B multiple times during the same runtime service activity. Communication between Services A and B has been secured using transport-layer security. With each service request message sent to Service B (1A .IB), Service A includes an X.509 certificate, signed by an external Certificate Authority (CA). Service B validates the certificate by retrieving the public key of the CA (2A .2B) and verifying the digital signature of the X.509 certificate. Service B then performs a certificate revocation check against a separate external CA repository (3A, 3B). No intermediary service agents reside between Service A and Service B .

To fulfill a new security requirement, Service A needs to be able to verify that the response message sent by Service B has not been modified during transit. Secondly, the runtime performance between Services A and B has been unacceptably poor and therefore must be improved without losing the ability to verify Service A's security credentials. It has been determined that the latency is being caused by redundant security processing carried out by Service B .Which of the following statements describes a solution that fulfills these requirements?
Service Consumer A sends a request message with a Username token to Service A (1). Service B authenticates the request by verifying the security credentials from the Username token with a shared identity store (2). To process Service Consumer A's request message, Service A must use Services B, C, and D .Each of these three services also requires the Username token (3. 6, 9) in order to authenticate Service Consumer A by using the same shared identity store (4, 7, 10). Upon each successful authentication, each of the three services (B, C, and D) issues a response message back to Service A (5, 8, 11). Upon receiving and processing the data in all three response messages, Service A sends its own response message to Service Consumer A (12). You are asked to redesign this service composition architecture so that it can still carry out the described message exchanges while requiring that Service Consumer A only be authenticated once using the identity store. Which of the following statements describes an accurate solution?
