Superp Logo
Home » DIVD investigation: configuration errors in over 2,000 Mendix environments
Actueel + + + +

DIVD investigation: configuration errors in over 2,000 Mendix environments

Digital transformation is accelerating. Organizations are increasingly building mission-critical processes on low-code platforms. This pace of change presents opportunities, but it also requires clear guidelines and robust governance.

Over 2,000 environments with configuration errors

Recent research by our security colleagues Rudy Dijkstra and Stan Plasmeijer underscores that importance. Both work at SUPERP and volunteer at the Dutch Institute for Vulnerability Disclosure (DIVD).

In collaboration with DIVD, they conducted a large-scale investigation into publicly accessible application environments. The result? More than 2,000 environments in which configuration errors lead to unauthorized data access.

From manual testing to automated scans

Rudy Dijkstra, an ethical hacker at SUPERP, previously worked on manually pentesting Mendix applications. It was time-consuming. He developed a tool to automate this process.

His solution, Menscan.io, automatically detects configuration errors in Mendix applications.

Our colleague Stan Plasmeijer further expanded this tooling. It can now analyze not only individual applications, but also large numbers of environments all at once.

A recurring pattern worldwide

The DIVD deployed the tooling for a large-scale investigation. It turned out not to be an isolated incident. It was a recurring pattern: similar configuration errors across various sectors and multiple countries.

What data was exposed? Everything from names and contact information to internal files. In some cases, documents or identification cards.

The risks? Data misuse, fraud, and reportable data breaches.

    The platform works. The configuration doesn’t always.

    The study focused on applications built with Mendix. The conclusion: this is not a fundamental issue with the platform itself. It comes down to configuration and authorization.

    Incorrectly configured access permissions or inadequately secured components pose risks, especially when applications are publicly accessible.

    Responsible disclosure and public interest

    The study was conducted by DIVD, an independent volunteer organization dedicated to making the internet safer.

    The process is based on responsible disclosure: vulnerabilities are first reported confidentially to the organizations concerned. They are given time to take corrective action. Only then is the information made public.

    This requires more than just technical knowledge. It also requires social awareness. Understand what data means to people. Grasp the impact of a data breach. And act accordingly.

    This type of research plays a key role in digital resilience and public safety. It brings to light systemic risks that would otherwise often go unnoticed.

    Speed versus Governance

    Application landscapes are expanding. More teams are building software. More solutions are being released. AI-powered development is making software even faster.

    That’s a positive development. Teams are working more efficiently. Innovation is accelerating.

    But there is a risk: functionality often takes precedence over security. And over proper configuration.

    Configuration determines security

    Configuration is not a minor detail. It determines who has access to which data and under what conditions.

    Multiple teams building without clear guidelines and oversight? That creates vulnerabilities. Not because the technology is inadequate, but because governance isn’t structured properly.

    Software development therefore requires insight:

    • Who is building what?
    • What are the legal provisions regarding his rights?
    • What checks are performed before something goes live?

    Governance is not a document. It is an ongoing process that evolves in step with the pace of development.

    Structural assurance within the Mendix landscape

    Through our subsidiary, MxBlue | SUPERP, we help organizations implement these structural safeguards. When additional security expertise is required, we collaborate with the SUPERP Security team.

    In addition, we are committed to continuous quality assurance through our partnership with Blue Storm and the AppControl solution. Automated policy checks, audit logging, and real-time reporting provide ongoing visibility into quality, security, and compliance, at both the application and portfolio levels.

    Digital transformation is a deliberate choice. Structural governance ensures that this choice remains manageable and sustainable.

    Would you like to know if your Mendix applications are set up correctly?

    Please contact Sander. He’ll fill you in.

    Sander van den Deijssel

    Sander van den Deijssel

    Business Development

    +31 (0) 3030 394 00

    bdm@superp.nl

    Linkedin

    Altijd als eerste op de hoogte?
    Volg ons op LinkedIn!

    Lincedin icon

    Mis geen update of event!
    Abonneer je op onze nieuwsbrief en hoor als eerste over onze nieuwste updates, klantverhalen en events.

    Skip form

    Gerelateerde artikelen

    + +

    SAP is acquiring Prior Labs for $1.16 billion. Here’s what that means for everyone who works with SAP.

    Arrow Right