Security Specialization Sample Exam

Before Starting
This sample exam has 8 questions that will help you get ready for the Security

Specialization exam.

We recommend that you prepare a real exam environment, as much as possible.

● Book a quiet room just for you.

● Print this document, apart from the last page.

● Get a stopwatch or set a timer for the (recommended) duration of 30

minutes.

The last page of this document has the correct answers. Don’t peek! Use it only

after completing your exam, to check how well you did.

During the Sample Exam

To accurately simulate the real exam environment, we suggest that you:

● Read each question and its answers carefully.

● Take your time! Questions may be revisited and your choices can be

changed.

● Mark the questions that you want to review at the end.

● Pick only one answer per question, as only one is correct.

● Answer all questions, as there’s no benefit in not doing so.

● Try turning off all electronic devices during the exam.

● Refrain from using or reading any external materials during the exam.
After Completing the Sample Exam

After completing the exam, validate the answers you selected by checking the ones

provided in the last page of this document, and count the total number of correct

answers. Since the passing score is 70% or higher, you should get at least 6

questions right. In case you chose any wrong answers, we suggest you review the

study materials where that specific topic is covered.

 Sample Exam Questions

1. A cybersecurity team is investigating a recent incident, where a breach

occurred using an authorized user account. Based on the information
collected, the team believes that the authorized user actually logged in, but
then someone else took over. Which form of attack caused the incident?

⃞ A. Man-in-the-middle.

⃞ B. Session hijacking.

⃞ C. Security misconfiguration.

⃞ D. Ransomware.

2. What is the purpose of the CIA security triangle?

⃞ A. The CIA triangle defines the three base pillars of information security
within an organization.

⃞ B. The CIA triangle defines the three most common security flaws in a
development project.

⃞ C. The CIA triangle defines the three defense layers of software security.

⃞ D. The CIA triangle defines a security best practices checklist to be followed

in a development project.
3. Consider a scenario where a new security requirement states that the
applications' session login time should have a maximum idle time of 10
minutes. Where can that information be checked and modified in
OutSystems?

⃞ A. Infrastructure -> Environment Security section, in LifeTime.

⃞ B. Server Request Timeout property of the application's entry module, in

Service Studio.

⃞ C. Factory -> Applications, select the desired application and then open the
Security section

⃞ D. Administration -> Security -> Applications Authentication section, in

Service Center.

4. Which of the following options is not a valid assumption about adopting

Captcha?

⃞ A. Adopting Captcha prevents automated harmful actions, assuring actions

are performed intentionally by humans.

⃞ B. Adopting Captcha protects from automated access by bots, avoiding

waste of a service’s resources and reducing opportunities for fraud.

⃞ C. Adopting Captcha avoids automated queries from a single IP/asset.

⃞ D. Adopting Captcha ensures all incorrect logins are redirected to the

proper authorization process.
5. Consider you are supporting an incident response at MyBank. The
attacker used the Login Screen, but rather than entering login credentials,
entered some odd text: '1' = '1. What is the best description for this attack?

⃞ A. Distributed denial-of-service.

⃞ B. Cross-site request forgery.

⃞ C. SQL injection.

⃞ D. Obfuscation.
6. Consider you are using the Active Directory method, without Integrated
Authentication, to authenticate the end-users of your OutSystems
applications. Which of the following options describes what happens when
the user tries to login an application?

⃞ A. A cryptographic hash function is computed using the user's credentials

and compared to the user information stored in the OutSystems database.

⃞ B. The user is redirected to a web page to enter its credentials. If the

authentication is successful, the user is redirected back to the OutSystems
application.

⃞ C. The user's credentials are validated against the OutSystems database

first. If there is no match, the credentials are then validated against the
configured domain server.

⃞ D. The user gets an information in the browser that authentication is

required. If the browser already has the credentials stored, they are
automatically sent to the server. If not, the user has to input the credentials.
This means that even if the application has custom Login page, the user will
not see it.
7. Which of the following options does not help protecting an OutSystems
app from access control/permission vulnerabilities?

⃞ A. Hide a widget in the UI that allows triggering/executing an Action with

sensitive logic, from users without permissions to execute that Action.

⃞ B. Implement Screens based on the roles of your applications and make

sure they are adjusted to only have the functionalities for a particular role
available.

⃞ C. Check in the Action flows if the user logged in has permissions to

execute a piece of sensitive logic, before actually executing it.

⃞ D. Use non-guessable IDs, such as Global Unique Identifiers (GUIDs).

8. Which of the following actions can potentially create a security

misconfiguration vulnerability?

⃞ A. Use different admin credentials across environments.

⃞ B. Store system documentation or API request samples as resources in the

applications.

⃞ C. Clean or protect your environments for unused components, sandboxes

or test apps.

⃞ D. Don’t expose log error stack traces to the end user.

 Answers

1. B
2. A
3. D
4. D
5. C
6. C
7. A
8. B