Security in Low-Code Applications: Cybersecurity Features and Best Practices for the Joget Open Source Platform

Introduction to Security Benefits and Risks in Low-Code Platforms

However, the proliferation of apps and digital solutions bring with it increased cybersecurity risks like phishing attempts and ransomware attacks. As the SolarWinds hack in 2020 and Microsoft Exchange hack in 2021 demonstrated, the cost of security lapses can be monumental. Security considerations are therefore paramount, so how would they apply to low-code platforms?

Source: Don’t Ignore Security In Low-Code Development, Forrester Research Inc, 23rd Dec 2020

In the Forrester report Don’t Ignore Security In Low-Code Development, several findings were presented:

  1. Low-code platforms empower business users, called citizen developers, who are likely to be less aware or trained in application security. This increases the number of people with potential access to sensitive data, or to introduce security vulnerabilities.
  2. However, low-code applications can be more secure compared to those built with traditional coding methods. This is due to the fact that low-code platforms typically provide built-in security controls and can automatically mitigate risks around common security issues like SQL injection or cross-site scripting (XSS). However, additional risks may be introduced with custom code so these need to be managed.
  3. Low-code platforms provide a multitude of security controls and practices, so organizations must understand and implement policies and processes to address security requirements, both at the platform and application level.

In an article from IDG titled 4 security concerns for low-code and no-code development, several security concerns were highlighted:

  1. Lack of visibility on what citizen developers are actually developing. This is related to shadow IT, where IT may lose track of applications being built and deployed within the organization.
  2. No data oversight, in terms of not putting in proper access controls or protecting access to sensitive data. When connecting to data sources, appropriate security controls may not have been put in place to ensure proper sharing of data.
  3. No auditing of vendor systems, where organizations may not have access to the security audits and compliance that are already in place in the low-code platforms.
  4. Business logic problems that expose data, when using custom code that does not enforce secure access to sensitive data. Organizations might not apply adequate security training and testing to custom code, which might introduce security risks.

Fundamentally, we can see that low-code platforms provide both security benefits, and risks, to organizations so it is important to understand and implement the appropriate security controls and policies based on the chosen platform.

How to Address Low-Code Security Risks with Joget Cybersecurity Features and Best Practices

#1 Platform Security Audits and Compliance

Each commercial version of the Joget platform is continually audited with Micro Focus Fortify On Demand static application security scans (SAST) to ensure a 5-star rating before every release. Micro Focus is a multi-year leader in the Gartner Magic Quadrant for Application Security Testing, and is compliant with many security standards including FISMA, PCI 3.2, DISA STIG 4.3. This helps to ensure that critical security concerns like the OWASP Top 10 are taken care of at the platform level.

Best Practice: Leverage commercially supported platform editions that have undergone security hardening and audit. Ensure that the platform is deployed in a secure environment, because if the underlying IT infrastructure is insecure, then the entire system will be vulnerable.

#2 Authentication and Single Sign-On

For additional authentication security, Joget provides a Security Enhanced Directory Manager that offers more secure credentials management, password storage and policies. Multi-factor authentication (MFA) is also available, with the industry standard Time-based One-Time Password (TOTP) algorithm supported out-of-the-box.

Best Practice: Enable security enhanced directory features, multi-factor authentication (MFA) and/or single sign-on (SSO) in production environments.

#3 Platform Access Control

This approach can be further expanded to disparate departments or business units in the deployment of the Joget platform itself, through multi-tenant support in the Joget Cloud Edition, or by utilizing namespaces and projects in cloud-native Kubernetes environments like Red Hat OpenShift or Google Kubernetes Engine.

Best Practice: For large-scale enterprise environments, centralize the deployment of the platform in a cloud-native or multi-tenant deployment, and utilize app designer delegation for IT visibility and governance.

#4 Application Access Control and Audits

For security, audit trails are an important record of system activity to help detect potential security violations and flaws. During development, Joget offers Git integration so all application changes are automatically captured and tracked to be audited. At runtime, application audit trails are also automatically captured.

Best Practice: Utilize fine-grained permission and access controls when designing applications and processes. Take advantage of Git integration and audit trails for development and runtime security monitoring.

#5 Secure Code Using Plugins

Best Practice: Where appropriate, use pre-built plugins or engage security-aware professional developers to develop reusable and secure plugins that can be used by citizen developers. The custom plugins should be subjected to security reviews before release.

#6 Secure API Endpoints

Best Practice: When developing applications as smaller composable components to be composed into larger solutions, make sure to secure the APIs with appropriate access controls.

Conclusion

Get Started

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store