A strong security foundation for everyone working with Mendix

Do you want to learn how to model your Mendix applications even more securely? The Mendix Security Fundamentals training provides a solid foundation for everyone working with Mendix. You’ll get hands-on experience with the three most common and critical Mendix vulnerabilities from The S-Unit Top 10. This enables you to systematically assess whether your Mendix applications are truly secure and how to safely perform essential development tasks as a Mendix developer. If secure development in Mendix matters to you, this foundational training is exactly what you’re looking for.

Who is it for?

This training is designed for: 

• Mendix application developers who want to take the next step toward secure development 
• Mendix application architects who want to support developers in secure development 
• Testers of Mendix applications who want to identify security-related issues  

During this training, you'll learn about:

• How the Mendix security model is structured and how it works in practice
• The core principles of secure development within Mendix
• The top 3 vulnerabilities from The S-Unit Top 10
• How to recognize and prevent variants of these vulnerabilities in Studio Pro
• How to identify security vulnerabilities in a deployed Mendix application

• How to systematically assess whether a Mendix application can truly be considered secure
• How seemingly minor mistakes in entity access rights can lead to major data leaks
• How to systematically analyze whether your microflow logic is securely implemented
• How to perform essential Mendix development tasks in a secure way

What’s in it for you?

• Fewer security issues in developed applications

• Lower costs throughout the development process 

• Better risk management thanks to developers who actively apply security principles
• A development process that is demonstrably more secure 
• An internal security-by-design proposition
• Directly applicable to ongoing projects

Our belief

We believe that Mendix applications are only truly secure when you understand how they are attacked. That’s why we teach developers to think like a hacker and turn security into a mindset. With more than ten years of experience, specialized Mendix experts, hundreds of tested Mendix applications, and our role as an official Mendix security partner, we understand the attack patterns, pitfalls, and limitations of the platform. We bundle this knowledge in The S-Unit Top 10 and share it with you, so every Mendix developer can build with security by design.

Prior knowledge

For this training you will need to have basic experience with Mendix Studio Pro.  

Included

• Training material 
• Certificate of participation 

You need to bring

• A laptop with the following installed:
  • Portswigger Burp Suite (Pro or Community Edition) 
  • Mendix Studio Pro (last version)  

Theory

• Basic theorie securedevelopment:
  • Security requirements 
  • Core concepts: Secure by Design, Principle of Least Privilege, Zero Trust Model 
  • OWASP top 10 vulnerabilities webapplications 
  • The S-Unit Top 10 vulnerabilities Mendix applications 
• Mendix security-model:
  • Client-Server model 
  • Client API 
• TSU-01: Insecure User Roles
  • Insecure composition of module roles 
  • Insecure use of Marketplace module roles 
  • Insecure use of User Management permissions 
• TSU-02: Insecure Entity Access
  • Insecure read permissions 
  • Insecure write permissions 
  • Insecure XPath constraints 
  • Conflicting access rules 
• TSU-03: Insecure microflows
  • Insecure microflow permissions 
  • Identification based on the Principle of Least Privilege 
  • Insecure microflow implementations 
  • Insecure use of nanoflows 
  • Insecure use of Apply Entity Access 
• Recognize and prevent:
  • Based on security requirements 
  • Based on the Principle of Least Privilege 
  • Based on the Zero Trust Model 

Practical exercises

• Interactive discussions during the theory sessions  

• Hands-on analysis of demo applications via JavaScript and HTTP 

• Hands-on analysis of a demo application using Studio Pro 

• Analysis of different solution approaches for the identified vulnerabilities

Dirk van Veen
Ethical Hacker & Founder - The S-Unit

Dirk van Veen is an ethical hacker and founder of The S-Unit with a master's degree in Computer Security. He started in 2011 as a penetration tester and within The S-Unit he is ultimately responsible for the technical side of all hacking and consultancy activities. Dirk enjoys exploring and finding vulnerabilities in new technologies, such as application frameworks, cloud platforms and low code solutions. In addition to his work at The S-Unit, Dirk regularly organizes hack competitions for Hack in the Box (2012-2019) and Platform for Information Security (2014-present) and he gives weekly ballroom dancing lessons to students in Amsterdam.

Training location

Online

Lunch

Lunch is not included in this training.

Start and end time

9:00 am to 5:00 pm CEST.

Language

Please indicate in advance which language you prefer for the training. The training is available in both English and Dutch.  

Are you missing information or do you have special wishes?

Send an email to [email protected] and we contact zo snel mogelijk contact met je op!