Dive deeper with Mendix Security Advanced

Do you know how to model the core building blocks of Mendix applications securely, but want to deepen your security expertise? The Mendix Security Advanced training is the next step toward secure development. During this training, you dive into more complex vulnerabilities from The S-Unit Top 10, including advanced scenarios involving insecure entity access and microflows. You’ll discover what can go wrong when publishing or consuming integrations and how to recognize and prevent UI-related vulnerabilities. Curious to learn more? Read on.

Who is it for?

• Mendix application developers who have completed the Mendix Security Fundamentals training and want to learn about more complex, niche-related vulnerabilities.

During this training, you will learn more about:

• The unintended security consequences of create and delete access rights 
• The security impact of microflow interactions in more complex scenarios 
• The concepts behind the Mendix integration security model 
• The influence of import and export mappings on security  
• Recognizing and preventing various forms of injection 
• The security consequences of the client-server model  
• Identifying and preventing UI vulnerabilities such as data exposure and Cross-Site Scripting 
• How published integrations such as REST, SOAP, or OData can lead to unauthorized access to and manipulation of data
• How to securely integrate with external systems, such as REST APIs or OQL/SQL connectors
• Identifying vulnerabilities in both Studio Pro and a deployed Mendix application

What’s in it for you?

• Fewer security issues in developed applications 

• Lower costs throughout the development process 

• Improved risk management thanks to developers who actively apply security principles 
• A development process that is demonstrably more secure 
• Directly applicable to ongoing projects

Our belief

We believe that Mendix applications are only truly secure when you understand how they are attacked. That’s why we teach developers to think like a hacker and turn security into a mindset. With more than ten years of experience, specialized Mendix experts, hundreds of tested Mendix applications, and our role as an official Mendix security partner, we understand the attack patterns, pitfalls, and limitations of the platform. We bundle this knowledge in The S-Unit Top 10 and share it with you, so every Mendix developer can build with security by design.

Prior knowledge

For this training you will need to have basic experience with Mendix Studio Pro.  

Included

• Training material 
• Certificate of participation 

You need to bring

• A laptop with the following installed:
  • Portswigger Burp Suite (Pro or Community Edition) 
  • Mendix Studio Pro (last version)  

Theory

• Deepdive TSU-02: Entity-level actions
  • Create permissions and XPath 
  • XPath bypasses on initial commit 
  • Delete permissions and XPath  
  • Delete permissions and integrity-sensitive data 
  • Microflow manipulation through create and delete permissions
• TSU-03: Complex microflow interactions 
  • Risks of uncommitted changes 
  • Pitfalls related to data validation in microflows 
  • Status transitions and sequencing 
  • Gadget microflows and the Zero Trust Model 
• TSU-04: Insecure Published Integrations:
  • Core concepts of published integrations: Types of integrations (SOAP, REST, OData), authentication options, possibilities for user input, and the use of import and export mappings
  • Vulnerabilities: Insecure authentication configuration, insecure allowed roles, insecure use of import mappings, and insecure permissions on input objects
• TSU-05: Insecure Consumed Integrations:
  • Integration consumption options within Mendix (OData, SOAP, REST) 
  • Core concepts of injection attacks 
  • Core concepts of Server-Side Request Forgery (SSRF) 
  • Vulnerabilities: manipulation of API traffic through path traversal, manipulation of API traffic through parameter injection, manipulation of API traffic through JSON/XML injection, attacks on internal systems via SSRF, and exposure of API credentials through SSRF
• TSU-09: Insecure UI Components:
  • Sensitive data in pages, widgets, and client constants 
  • Cross-Site Scripting through HTML rendering 
  • Cross-Site Scripting through vulnerabilities in widgets
• Recognize and prevent:
  • Based on security requirements 
  • Based on the Principle of Least Privilege 
  • Based on the Zero Trust Model 

Practical exercises

• Interactive discussions during the theory sessions  

• Hands-on analysis of demo applications via JavaScript and HTTP 

• Hands-on analysis of a demo application using Studio Pro 

• Analysis of different solution approaches for the identified vulnerabilities

Dirk van Veen
Ethical Hacker & Founder - The S-Unit

Dirk van Veen is an ethical hacker and founder of The S-Unit with a master's degree in Computer Security. He started in 2011 as a penetration tester and within The S-Unit he is ultimately responsible for the technical side of all hacking and consultancy activities. Dirk enjoys exploring and finding vulnerabilities in new technologies, such as application frameworks, cloud platforms and low code solutions. In addition to his work at The S-Unit, Dirk regularly organizes hack competitions for Hack in the Box (2012-2019) and Platform for Information Security (2014-present) and he gives weekly ballroom dancing lessons to students in Amsterdam.

Training location

Online

Lunch

Lunch is not included in this training.

Start and end time

9:00 am to 5:00 pm CEST.

Language

Please indicate in advance which language you prefer for the training. The training is available in both English and Dutch.  

Are you missing information or do you have special wishes?

Send an email to [email protected] and we contact zo snel mogelijk contact met je op!