Security in Low-Code Applications: Cybersecurity Features and Best Practices for the Joget Open Source Platform

Introduction to Security Benefits and Risks in Low-Code Platforms

As digitalization becomes increasingly prevalent, low-code platforms are rapidly gaining adoption across industries. Employing visual techniques to programming, they enable the development and delivery of applications in a fraction of the time required by traditional coding. According to Forrester’s Now Tech: General-Purpose Low-Code Development Platforms, Q1 2021, low-code platforms are “vital to digital business” and “proven in even the most mission-critical use cases”.

  1. However, low-code applications can be more secure compared to those built with traditional coding methods. This is due to the fact that low-code platforms typically provide built-in security controls and can automatically mitigate risks around common security issues like SQL injection or cross-site scripting (XSS). However, additional risks may be introduced with custom code so these need to be managed.
  2. Low-code platforms provide a multitude of security controls and practices, so organizations must understand and implement policies and processes to address security requirements, both at the platform and application level.
  1. No data oversight, in terms of not putting in proper access controls or protecting access to sensitive data. When connecting to data sources, appropriate security controls may not have been put in place to ensure proper sharing of data.
  2. No auditing of vendor systems, where organizations may not have access to the security audits and compliance that are already in place in the low-code platforms.
  3. Business logic problems that expose data, when using custom code that does not enforce secure access to sensitive data. Organizations might not apply adequate security training and testing to custom code, which might introduce security risks.

How to Address Low-Code Security Risks with Joget Cybersecurity Features and Best Practices

As a leading open source low-code platform, Joget recognizes the critical importance of application security and offers many built-in security safeguards and controls.

#1 Platform Security Audits and Compliance

The core Joget platform is fully open source and publicly available for scrutiny. Open source offers much greater transparency compared to fully proprietary solutions, and allows visibility into the source code and inner workings of the platform.

#2 Authentication and Single Sign-On

Joget supports the most popular single sign-on (SSO) authentication standards such as OpenID Connect, SAML, LDAP and Kerberos, as well as custom authentication implementations. By allowing users to access multiple applications by using a single login, SSO simplifies identity management, reduces security risks and helps with regulatory compliance.

#3 Platform Access Control

To mitigate the problem of shadow IT and lack of visibility, Joget allows organizations to delegate app development to specific users or groups by assigning App Designer roles. By having a centralized platform with delegated citizen developers, IT will be able to not only oversee the development of apps, but also collaboratively develop them.

#4 Application Access Control and Audits

For applications built on the Joget platform, there are a multitude of fine-grained role-based access controls (RBAC) available. Depending on requirements, permission controls can be defined to protect the entire app UI (userview), a category, a page, a form or even a form section. For process automation, access controls are mapped to participants in the workflow to ensure appropriate and secure user task assignments.

#5 Secure Code Using Plugins

One of the strengths of the Joget platform is its flexible plugin architecture, where plugins can be developed by professional developers to extend the platform in whichever way desired. By utilizing plugins instead of custom scripting or ad-hoc code, Joget allows security-aware professional developers to develop secure components to be used by citizen developers. These plugins can be developed in-house, or published and installed from the Joget Marketplace.

#6 Secure API Endpoints

Application Programming Interfaces (APIs) are an important part of modern application architecture, facilitating the use of microservices and composable business applications to compose solutions from smaller components. Joget provides built-in JSON APIs, as well as a more advanced API Builder that offers a visual drag-and-drop approach to expose application data via OpenAPI (formerly known as Swagger) compliant APIs. Most importantly, these APIs are secure by default, and the API Builder additionally offers simple and extensible customized configuration for secure authentication.


Modern low-code platforms offer proven advantages for organizations undergoing rapid digital transformation in these uncertain times. The Joget platform specifically offers many security features and controls, and it is essential for an organization to fully harness these features to suit its unique environment.

Get Started

Resources to get started developing low-code apps with Joget: