Quick Actions

© 2025 EASYCRED. All rights reserved.

Application Security Policy

Ensuring secure software development and deployment practices at EASYCRED

Security First Approach

To ensure that all software developed, tested, and deployed by EasyCred is secure by design, resilient against common vulnerabilities, and compliant with RBI/CERT-In and global best practices.

Scope

This policy applies to all software and systems within the EASYCRED ecosystem, including:

  • EasyCred website (easycred.co.in)
  • Mobile applications (iOS, Android)
  • APIs and integrations (loan partners, payment gateways, KYC vendors)
  • Internal admin dashboards, CRM, and employee tools

Secure Development Lifecycle (SDLC)

Threat Modeling

Conduct threat analysis for every new feature (e.g., loan disbursal API, KYC verification).

Static Analysis (SAST)

All code must pass automated scans for SQLi, XSS, hardcoded secrets, etc.

Dependency Management

Only use approved libraries/packages; run regular vulnerability checks (e.g., npm audit, snyk).

Code Review

Peer review required before merging. Security-critical changes must be reviewed by a senior engineer.

Authentication & Authorization

  • Enforce OAuth2.0 / JWT tokens for API calls.
  • Implement role-based access control (RBAC) for customers, admins, and vendors.
  • Expire sessions after 15 minutes of inactivity.
  • Enforce Multi-Factor Authentication (MFA) for admin and partner logins.

Data Handling

  • PII Protection: Aadhaar, PAN, bank details, etc. must be encrypted at rest (AES-256) and in transit (TLS 1.3).
  • Data Minimization: Collect only what is necessary for loan processing.
  • Masking: Display only partial sensitive data (e.g., last 4 digits of Aadhaar).
  • Audit Logs: Record access to PII with immutable logging.

API Security

  • All APIs must be authenticated (no anonymous endpoints).
  • Use rate limiting & throttling to prevent abuse.
  • Validate all inputs with whitelisting, not blacklisting.
  • Implement HMAC or signature-based verification for partner APIs (e.g., NBFC loan APIs).
  • Monitor for anomalies (e.g., repeated failed OTP verifications).

Web & Mobile App Security

  • Prevent OWASP Top 10 vulnerabilities: SQLi, XSS, CSRF, IDOR, SSRF, etc.
  • Use Content Security Policy (CSP) to reduce XSS.
  • Apply certificate pinning in mobile apps to prevent MITM attacks.
  • Store secrets (API keys, DB credentials) only in vaults (e.g., AWS KMS, HashiCorp Vault).
  • Enforce automatic updates and bug fix rollouts.

Testing & Deployment

  • Penetration Testing: External penetration tests at least quarterly.
  • Bug Bounty Program: Encourage responsible disclosure from ethical hackers.
  • Staging Environment: All features tested in staging with production-like data (synthetic, not real PII).
  • Zero-Downtime Deployment: Blue-Green or Canary releases to reduce risk.

Monitoring & Incident Handling

  • Enable real-time monitoring of application logs (API errors, authentication failures).
  • Alerts must be sent to the Security Operations Center (SOC) if anomalies detected.
  • Quick rollback mechanism in case of faulty deployments.

Developer Responsibilities

  • Mandatory annual security training (OWASP, secure coding).
  • Immediate reporting of suspected vulnerabilities.
  • No use of personal devices for production code access.
  • Developers must not store production data locally.