Stan
Stan Plasmeijer is an ethical hacker at SUPERP and Operational Lead at DIVD-CSIRT, working on large-scale vulnerability discovery and coordinated disclosure. He likes to first understand how systems are supposed to work, and then see what happens when they don’t.
Session
It started, as many DIVD investigations do, with someone poking at something they probably shouldn't have and going "...huh." That someone was looking at Mendix, a low-code platform used by thousands of organisations worldwide, including some that really should know better... and what followed was a full-blown research journey that nobody quite expected.
In this talk, Stan Plasmeijer and Rudy Dijkstra walk you through the complete DIVD Mendix security story. From the first accidental discovery to building scanners, coordinating disclosures, and figuring out just how widespread the problem actually was. You'll learn how Mendix works, why it keeps breaking in the same ways, and how to test for it yourself. It's not complicated. That's almost the whole problem.
This talk is for blue teamers wondering what's hiding in their organisation's app landscape, red teamers looking for something new to love, and developers who'd prefer not to feature in someone else's CVE. No prior Mendix knowledge needed. A working sense of humour helps.