Free Arcitura Education S90.20 Exam Actual Questions & Explanations

Last updated on: Jul 17, 2026
Author: Alexander Lim (SOA Security Curriculum Specialist at Arcitura Education)

The Certified SOA Security Specialist S90.20 exam, administered by Arcitura Education, validates your ability to design, implement, and manage security controls across service-oriented and microservice architectures. This exam is intended for architects, security professionals, and developers who need to demonstrate hands-on competency in SOA security practices. The SOA Security Lab component tests practical application of security concepts in real-world scenarios. This page outlines the exam structure, core topics, and effective preparation strategies to help you succeed.

S90.20 Exam Syllabus & Core Topics

Use this topic map to guide your study for Arcitura Education S90.20 (SOA Security Lab) within the Certified SOA Security Specialist path.

  • Fundamental SOA, Services & Microservices: Understand the core principles of service-oriented architecture, service boundaries, and microservice deployment models. You must recognize how service composition affects security posture and identify integration points that require protection.
  • Microservice Technology Concepts: Learn containerization, orchestration platforms, API gateways, and service mesh technologies. Demonstrate the ability to evaluate how these technologies introduce new security considerations and where controls must be applied.
  • Fundamental Security for Services, Microservices & SOA: Master authentication, authorization, encryption, and secure communication patterns. Apply these principles to service-to-service interactions, including token-based access control and message-level security.
  • Advanced Security for Services, Microservices & SOA: Address threat modeling, vulnerability assessment, and security policy enforcement across distributed systems. Develop strategies for detecting and responding to security incidents in service-based environments.
  • Security Lab for Services, Microservices & SOA: Execute hands-on configuration tasks such as setting up mutual TLS between services, implementing OAuth 2.0 flows, and configuring service mesh security policies. Work through realistic scenarios that require you to troubleshoot security misconfigurations and validate secure deployments.

Question Formats & What They Test

The S90.20 exam uses multiple item types to assess both conceptual knowledge and practical decision-making in SOA security contexts. Questions progress in difficulty and require you to apply security principles to real-world architectural challenges.

  • Multiple choice: Test recall of security definitions, feature behavior, protocol specifications, and key terminology relevant to services and microservices.
  • Scenario-based items: Present realistic security challenges (e.g., a microservice breach, misconfigured API gateway, or compliance violation). You analyze the situation and select the most appropriate security control or remediation approach.
  • Configuration and lab tasks: Require you to configure security settings, interpret policy outputs, and validate that security controls are properly implemented in a service environment.

Preparation Guidance

Effective preparation maps the five core topic areas to a structured study schedule, allowing you to build foundational knowledge before tackling advanced scenarios and hands-on labs. Allocate time proportionally: spend more hours on Advanced Security and the Security Lab, since these carry greater weight on the exam.

  • Organize your study into weekly blocks aligned to each topic: begin with Fundamental SOA and Services & Microservices (week 1), progress through Microservice Technology Concepts (week 2), then cover Fundamental Security (week 3), Advanced Security (weeks 4-5), and dedicate week 6 to the Security Lab. Track your progress against a checklist of learning objectives.
  • Work through practice question sets after completing each topic block. Review explanations for both correct and incorrect answers to identify conceptual gaps and reinforce reasoning.
  • Connect security concepts across the service lifecycle: map how authentication policies apply during service discovery, how encryption protects data in transit and at rest, and how monitoring detects unauthorized access patterns.
  • Complete a timed mini-mock exam (30-40 questions) in week 6 to build pacing confidence, identify remaining weak areas, and reduce test-day anxiety.
  • Explore other Arcitura Education certifications: view all Arcitura Education exams.

Get the PDF & Practice Test

Strengthen your preparation with up-to-date resources from validexamdumps.com. These materials align to S90.20 and cover practical scenarios with clear explanations.

  • Q&A PDF with explanations: Topic-mapped questions that clarify why correct options are right and others aren't, helping you build solid reasoning skills.
  • Practice Test: Realistic items, timed and untimed modes, progress tracking, and detailed review to simulate exam conditions.
  • Focused coverage: Aligned to Fundamental SOA, Services & Microservices; Microservice Technology Concepts; Fundamental Security for Services, Microservices & SOA; Advanced Security for Services, Microservices & SOA; and Security Lab for Services, Microservices & SOA so you study what matters most.
  • Regular reviews: Content refreshes that reflect syllabus and product changes, ensuring accuracy and relevance.

Visit the exam page to download the PDF, Online Practice Test, or get a Bundle Discount offer for both formats: SOA Security Lab.

Frequently Asked Questions

What topics carry the most weight on the S90.20 exam?

Advanced Security for Services, Microservices & SOA and the Security Lab for Services, Microservices & SOA account for approximately 50-60% of exam content. These sections emphasize hands-on application of security controls, threat modeling, and incident response rather than basic definitions. Allocate study time accordingly, with deeper focus on configuration tasks and real-world scenario analysis.

How do the five core topics connect in a real SOA project?

Fundamental SOA and Services & Microservices provide the architectural foundation; Microservice Technology Concepts introduce the platforms and tools you'll use. Fundamental Security establishes core controls (authentication, encryption), while Advanced Security addresses how to apply these controls across complex, distributed systems. The Security Lab ties everything together by requiring you to implement and validate security in a working environment, mirroring actual project workflows.

How important is hands-on experience, and which labs should I prioritize?

Hands-on experience is critical for the S90.20 exam, especially the Security Lab section. Prioritize labs that involve setting up mutual TLS between services, implementing OAuth 2.0 or SAML flows, and configuring API gateway and service mesh security policies. If possible, practice in containerized environments (Docker, Kubernetes) since these are common in modern SOA deployments.

What are common mistakes that cost candidates points?

Many candidates confuse authentication with authorization or overlook the differences between service-to-service and client-to-service security patterns. Others underestimate the importance of encryption in transit versus at rest, or fail to consider how service mesh security policies interact with network policies. Review scenario-based questions carefully and ensure you understand the "why" behind each control, not just the "what."

How should I approach the final week before the exam?

In the final week, shift from learning new topics to reinforcing weak areas and building test-day confidence. Run two full-length timed practice tests, review all incorrect answers, and create a one-page reference sheet of key security patterns and configuration steps. Avoid cramming new material; instead, focus on pacing, question interpretation, and validating that you can apply security concepts under time pressure.

Question No. 1

Service Consumer A sends a request to Service A (1). Service A replies with an acknowledgement message (2) and then processes the request and sends a request message to Service B (3). This message contains confidential financial data. Service B sends three different request messages together with its security credentials to Services C .D .and E (4, 5, 6). Upon successful authentication, Services C .D .and E store the data from the message in separate databases (7.8, 9). Services B .C .D, and E belong to Service Inventory A, which further belongs to Organization B .Service Consumer A and Service A belong to Organization A .Organization B decides to create a new service inventory (Service Inventory B) for services that handle confidential data. Access to these services is restricted by allocating Service Inventory B its own private network. Access to this private network is further restricted by a dedicated firewall. Services C, D and E are moved into Service Inventory B, and as a result. Service B can no longer directly access these services. How can this architecture be changed to allow Service B to access Services C, D and E in a manner that does not jeopardize the security of Service Inventory B while also having a minimal impact on the service composition's performance?

Show Answer Hide Answer
Correct Answer: A

Question No. 2

Service Consumer A sends a request message to Service A (1), after which Service A sends a request message with security credentials to Service B (2). Service B authenticates the request and, if the authentication is successful, writes data from the request message into Database B (3). Service B then sends a request message to Service C (4), which is not required to issue a response message. Service B then sends a response message back to Service A (5). After processing Service B's response, Service A sends another request message with security credentials to Service B (6). After successfully authenticating this second request message from Service A, Service B sends a request message to Service D (7). Service D is also not required to issue a response message. Finally, Service B sends a response message to Service A (8), after which Service A records the response message contents in Database A (9) before sending its own response message to Service Consumer A (10).

Services A and B use digital certificates to support message integrity and authentication. With every message exchange between the two services (2, 5, 6, 8), the digital certificates are used. It has been determined that both Databases A and B are vulnerable to malicious attackers that may try to directly access sensitive data records. Furthermore, performance logs have revealed that the current exchange of digital certificates between Services A and B is unacceptably slow. How can the integrity and authenticity of messages exchanged between Services A and B be maintained, but with improved runtime performance - and - how can Databases A and B be protected with minimal additional impact on performance?

Show Answer Hide Answer
Correct Answer: B

Question No. 3

Service A is a publically accessible service that provides free multimedia retrieval capabilities to a range of service consumers. To carry out this functionality, Service A is first invoked by Service Consumer A (1). Based on the nature of the request message received from Service Consumer A, Service A either invokes Service B or Service C .When Service B is invoked by Service A (2A) it retrieves data from publicly available sources (not shown) and responds with the requested data (3A). When Service C is invoked by Service A (2B) it retrieves data from proprietary sources within the IT enterprise (not shown) and responds with the requested data (3B). After receiving a response from Service B or Service C, Service A sends the retrieved data to Service Consumer A (4). Service B does not require service consumers to be authenticated, but Service C does require authentication of service consumers. The service contract for Service A therefore uses WS-Policy alternative policies in order to express the two different authentication requirements to Service Consumer A .When Service Consumer A sends a request message (1), Service A determines whether the request requires the involvement of Service C and then checks to ensure that the necessary security credentials were received as part of the message. If the credentials provided by Service Consumer A are verified. Service A creates a signed SAML assertion and sends it with the request message to Service C (2B) This authentication information is protected by public key encryption However, responses to Service Consumer A's request message (3B, 4) are not encrypted for performance reasons. The owner of Service C is planning two changes to the service architecture:

1. A fee will be charged to Service Consumer A (or any service consumer) using Service C .2. The response messages issued by Service C need to be secured in order to prevent unauthorized access. An analysis of Service C's usage statistics reveals that a group of service consumers specifically request the retrieval of multimedia data on a frequent basis. To promote the usage of Service C to these types of service consumers, the owner of Service C plans to offer a special discount by allowing unlimited multimedia retrievals for a fixed monthly price. Service consumers that do not subscribe to this promotion will need to pay for each request individually. It is anticipated that the new promotion will significantly increase the usage of Service C .The owner of Service C therefore wants to ensure that the security added to the response messages has a minimal impact on Service C's runtime performance. What steps can be taken to fulfill these requirements?

Show Answer Hide Answer
Correct Answer: A

Question No. 4

Service A exchanges messages with Service B multiple times during the same runtime service activity. Communication between Services A and B has been secured using transport-layer security. With each service request message sent to Service B (1A .IB), Service A includes an X.509 certificate, signed by an external Certificate Authority (CA). Service B validates the certificate by retrieving the public key of the CA (2A .2B) and verifying the digital signature of the X.509 certificate. Service B then performs a certificate revocation check against a separate external CA repository (3A, 3B). No intermediary service agents reside between Service A and Service B .

To fulfill a new security requirement, Service A needs to be able to verify that the response message sent by Service B has not been modified during transit. Secondly, the runtime performance between Services A and B has been unacceptably poor and therefore must be improved without losing the ability to verify Service A's security credentials. It has been determined that the latency is being caused by redundant security processing carried out by Service B .Which of the following statements describes a solution that fulfills these requirements?

Show Answer Hide Answer
Correct Answer: A

Question No. 5

Service Consumer A sends a request message with a Username token to Service A (1). Service B authenticates the request by verifying the security credentials from the Username token with a shared identity store (2). To process Service Consumer A's request message, Service A must use Services B, C, and D .Each of these three services also requires the Username token (3. 6, 9) in order to authenticate Service Consumer A by using the same shared identity store (4, 7, 10). Upon each successful authentication, each of the three services (B, C, and D) issues a response message back to Service A (5, 8, 11). Upon receiving and processing the data in all three response messages, Service A sends its own response message to Service Consumer A (12). You are asked to redesign this service composition architecture so that it can still carry out the described message exchanges while requiring that Service Consumer A only be authenticated once using the identity store. Which of the following statements describes an accurate solution?

Show Answer Hide Answer
Correct Answer: A