Application/Platform Security Policy (AppSec)
Objective
To ensure that all software developed, tested, and deployed by EasyCred is secure by design, resilient against common vulnerabilities, and compliant with RBI/CERT-In and global best practices.
Scope
EasyCred website (easycred.co.in
)
Mobile applications (iOS, Android)
APIs and integrations (loan partners, payment gateways, KYC vendors)
Internal admin dashboards, CRM, and employee tools
Secure Development Lifecycle (SDLC)
Threat Modeling: Conduct threat analysis for every new feature (e.g., loan disbursal API, KYC verification).
Static Analysis (SAST): All code must pass automated scans for SQLi, XSS, hardcoded secrets, etc.
Dependency Management: Only use approved libraries/packages; run regular vulnerability checks (e.g., npm audit, snyk).
Code Review: Peer review required before merging. Security-critical changes must be reviewed by a senior engineer.
Authentication & Authorization
Enforce OAuth2.0 / JWT tokens for API calls.
Implement role-based access control (RBAC) for customers, admins, and vendors.
Expire sessions after 15 minutes of inactivity.
Enforce Multi-Factor Authentication (MFA) for admin and partner logins.
Data Handling
PII Protection: Aadhaar, PAN, bank details, etc. must be encrypted at rest (AES-256) and in transit (TLS 1.3).
Data Minimization: Collect only what is necessary for loan processing.
Masking: Display only partial sensitive data (e.g., last 4 digits of Aadhaar).
Audit Logs: Record access to PII with immutable logging.
API Security
All APIs must be authenticated (no anonymous endpoints).
Use rate limiting & throttling to prevent abuse.
Validate all inputs with whitelisting, not blacklisting.
Implement HMAC or signature-based verification for partner APIs (e.g., NBFC loan APIs).
Monitor for anomalies (e.g., repeated failed OTP verifications).
Web & Mobile App Security
Prevent OWASP Top 10 vulnerabilities: SQLi, XSS, CSRF, IDOR, SSRF, etc.
Use Content Security Policy (CSP) to reduce XSS.
Apply certificate pinning in mobile apps to prevent MITM attacks.
Store secrets (API keys, DB credentials) only in vaults (e.g., AWS KMS, HashiCorp Vault).
Enforce automatic updates and bug fix rollouts.
Testing & Deployment
Penetration Testing: External penetration tests at least quarterly.
Bug Bounty Program: Encourage responsible disclosure from ethical hackers.
Staging Environment: All features tested in staging with production-like data (synthetic, not real PII).
Zero-Downtime Deployment: Blue-Green or Canary releases to reduce risk.
Monitoring & Incident Handling
Enable real-time monitoring of application logs (API errors, authentication failures).
Alerts must be sent to the Security Operations Center (SOC) if anomalies detected.
Quick rollback mechanism in case of faulty deployments.
Developer Responsibilities
Mandatory annual security training (OWASP, secure coding).
Immediate reporting of suspected vulnerabilities.
No use of personal devices for production code access.
Developers must not store production data locally.