Security Specialization Sample Exam - EN

Prévia do material em texto

Security Specialization
Sample Exam
Before Starting
This sample exam has 8 questions that will help you get ready for the Security
Specialization exam.
We recommend that you prepare a real exam environment, as much as possible.
● Book a quiet room just for you.
● Print this document, apart from the last page.
● Get a stopwatch or set a timer for the (recommended) duration of 30 minutes.
The last page of this document has the correct answers. Don’t peek! Use it only after
completing your exam, to check how well you did.
outsystems.com 1
During the Sample Exam
To accurately simulate the real exam environment, we suggest that you:
● Read each question and its answers carefully.
● Take your time! Questions may be revisited and your choices can be changed.
● Mark the questions that you want to review at the end.
● Pick only one answer per question, as only one is correct.
● Answer all questions, as there’s no benefit in not doing so.
● Try turning off all electronic devices during the exam.
● Refrain from using or reading any external materials during the exam.
After Completing the Sample Exam
After completing the exam, validate the answers you selected by checking the ones
provided on the last page of this document, and count the total number of correct
answers. Since the passing score is 70% or higher, you should get at least 6 questions right.
In case you chose any wrong answers, we suggest you review the study materials where
that specific topic is covered.
outsystems.com 2
Sample Exam Questions
1. A cybersecurity team is investigating a recent incident, where a breach occurred
using an authorized user account. Based on the information collected, the team
believes that the authorized user actually logged in, but then someone else took
over. Which form of attack caused the incident?
A. Man-in-the-middle.
B. Session hijacking.
C. Security misconfiguration.
D. Ransomware.
2. What is the purpose of the CIA security triangle?
A. The CIA triangle defines the three base pillars of information security within an
organization.
B. The CIA triangle defines the three most common security flaws in a development
project.
C. The CIA triangle defines the three defense layers of software security.
D. The CIA triangle defines a security best practices checklist to be followed in a
development project.
3. Consider a scenario where a new security requirement states that the applications'
session login time should have a maximum idle time of 10 minutes. Where can that
information be checked and modified in OutSystems?
A. Infrastructure -> Environment Security section, in LifeTime.
B. Server Request Timeout property of the application's entry module in Service
Studio.
C. Factory -> Applications, select the desired application, and then open the
Security section
D. Administration -> Security -> Applications Authentication section, in Service
Center.
outsystems.com 3
4. Which of the following options is not a valid assumption about adopting Captcha?
A. Adopting Captcha prevents automated harmful actions, assuring actions are only
intentionally performed by humans.
B. Adopting Captcha protects from automated access by bots, avoiding waste of a
service’s resources and reducing opportunities for fraud.
C. Adopting Captcha avoids automated queries from a single IP/asset.
D. Adopting Captcha ensures all incorrect logins are redirected to the proper
authorization process.
5. Consider you are supporting an incident response at MyBank. The attacker used the
Login Screen, but rather than entering login credentials, they entered some odd text:
'1' = '1. What is the best description for this attack?
A. Distributed denial-of-service.
B. Cross-site request forgery.
C. SQL injection.
D. Obfuscation.
outsystems.com 4
6. Consider you are using the Active Directory method without Integrated
Authentication to authenticate the end-users of your OutSystems applications.
Which of the following options describes what happens when an end-user tries to
log into an application?
A. A cryptographic hash function is computed using the end-user's credentials and
compared to the user information stored in the OutSystems database.
B. The end-user is redirected to a web page to enter their credentials. If the
authentication is successful, they are redirected back to the OutSystems
application.
C. The end-user's credentials are validated against the OutSystems database first. If
there is no match, the credentials are validated against the configured domain
server.
D. The end-user gets information in the browser that authentication is required. If
the browser already has the credentials stored, they are automatically sent to the
server. If not, the end-user has to input the credentials. This means that even if the
application has a custom Login page, the end-user will not see it.
7. Which of the following options does not help protect an OutSystems app from
access control/permission vulnerabilities?
A. Hide a widget in the UI that allows triggering/executing an Action with sensitive
logic from users without permission to execute that Action.
B. Implement Screens based on the roles of your applications and make sure they
are adjusted to only have their functionalities available for a particular role.
C. Check in the Action flows if the user logged in has permission to execute a piece
of sensitive logic before actually executing it.
D. Use non-guessable IDs, such as Global Unique Identifiers (GUIDs).
outsystems.com 5
8. Which of the following actions can potentially create a security misconfiguration
vulnerability?
A. Using different admin credentials across environments.
B. Storing system documentation or API request samples as resources in the
applications.
C. Cleaning or protecting your environments for unused components, sandboxes, or
test apps.
D. Not exposing log error stack traces to the end user.
outsystems.com 6
Answers
1. B
2. A
3. D
4. D
5. C
6. C
7. A
8. B
outsystems.com 7