Take on the challenge: Mendix security at expert level

Think you’ve mastered securing Mendix applications? Our ethical hackers are ready to put your skills to the test in the Mendix Security Expert training. This advanced, hands-on training pushes you to the highest level of Mendix security expertise. After completing the program, you can officially call yourself a Mendix Security Expert. You’ll learn how to uncover and prevent advanced vulnerabilities in authentication, the inner workings of the Mendix runtime, and custom Java code. Ready to step up and prove your expertise? Read on.

Who is it for?

• For Mendix developers who have completed the Mendix Security Fundamentals and Advanced trainings and are ready to push their security skills to the limit.
• If you want to deepen your knowledge of specialized topics such as authentication, the internal workings of the Mendix runtime, and custom Java code. 

During this training, you'll learn about:

• Common vulnerabilities in Mendix authentication flows 

• Core concepts of Mendix request handlers and Java actions 

• Risks of using System and Sudo contexts in custom Java code 

• Internal details of the Mendix Client API and its state-handling mechanisms 

• Secure and insecure methods of using XPath queries in Java 

• Common high-code vulnerabilities in Java applications 

• Identifying vulnerabilities in both Studio Pro and a deployed Mendix application 
• Common vulnerabilities in custom authentication mechanisms in Mendix applications and how to secure them
• The internal workings of the Mendix Runtime, including internal authentication and authorization mechanisms
• Identifying historical vulnerabilities in the Mendix Runtime and third-party components

What’s in it for you?

• You build expertise as a Mendix security specialist
• Fewer security issues in developed applications 

• Lower costs throughout the development process 

• Improved risk management thanks to developers who actively apply security principles 

• A development process that is demonstrably more secure 
• An internal security-by-design proposition

Our belief

We believe that Mendix applications are only truly secure when you understand how they are attacked. That’s why we teach developers to think like a hacker and turn security into a mindset. With more than ten years of experience, specialized Mendix experts, hundreds of tested Mendix applications, and our role as an official Mendix security partner, we understand the attack patterns, pitfalls, and limitations of the platform. We bundle this knowledge in The S-Unit Top 10 and share it with you, so every Mendix developer can build with security by design.

Prior knowledge

This training assumes that participants have completed the Mendix Security Fundamentals training and are familiar with the vulnerabilities and detection and prevention techniques covered in that course.

Included

• Training material 
• Certificate of participation 

You need to bring

• A laptop with the following installed:
  • Portswigger Burp Suite (Pro or Community Edition) 
  • Mendix Studio Pro (last version)  

Theory

• Architecture Mendix Runtime:
  • Request handlers 
  • Core concepts of the Client API: actions and runtime operations 
  • User, Sudo en System context 
  • (Login)Action handlers 
• TSU-06: Use of outdated or end-of-life components
  • Claim based authentication (JWT/SAML) 
  • Examples of vulnerabilities in outdated widgets, Marketplace modules, Java libraries, and the runtime
• TSU-07: Insecure custom authentication
  • Core concepts and vulnerabilities in user authentication:
    • SSO en MFA 
    • (In)secure use of (anonymous) sessions 
    • Competing authentication mechanisms 
    • Brute-force attacks  
    • Replay attacks  
  • Core concepts and vulnerabilities in authentication integrations
    • Claim based authentication (JWT/SAML) 
    • Verifying digital signatures 
    • Verifying claims  
    • Non-user based authentication (API-key, etc.) 
• TSU-08: Insecure custom java
  • Authorization checks in Sudo/System contexts 
  • Input recognition and validation 
  • Xpath injection 
  • Output encoding and Cross Site Scripting 
  • XML/JSON deserialization and format-specific vulnerabilities 
• TSU-10: Insecure cloud deployments
  • Path based access restrictions  
  • Security headers and Content Security Policy 
  • Insecure configuration of constants 
• Recognize and prevent:
  • Based on security requirements 
  • Based on the Principle of Least Privilege 
  • Based on the Zero Trust Model 

Practical exercises

• Interactive discussions during the theory sessions  

• Hands-on analysis of demo applications via JavaScript and HTTP 

• Hands-on analysis of a demo application using Studio Pro 

• Analysis of different solution approaches for the identified vulnerabilities

Dirk van Veen
Ethical Hacker & Founder - The S-Unit

Dirk van Veen is an ethical hacker and founder of The S-Unit with a master's degree in Computer Security. He started in 2011 as a penetration tester and within The S-Unit he is ultimately responsible for the technical side of all hacking and consultancy activities. Dirk enjoys exploring and finding vulnerabilities in new technologies, such as application frameworks, cloud platforms and low code solutions. In addition to his work at The S-Unit, Dirk regularly organizes hack competitions for Hack in the Box (2012-2019) and Platform for Information Security (2014-present) and he gives weekly ballroom dancing lessons to students in Amsterdam.

Training location

Online

Lunch

Lunch is not included in this training.

Start and end time

9:00 am to 5:00 pm CEST.

Language

Please indicate in advance which language you prefer for the training. The training is available in both English and Dutch.  

Are you missing information or do you have special wishes?

Send an email to [email protected] and we contact zo snel mogelijk contact met je op!