Web Application Security in Chennai · OMR SaaS, PSU Banks & TNeGA
OWASP ASVS L3 AppSec for Chennai OMR SaaS, PSU bank customer apps, Sriperumbudur auto OEM customer portals and TNeGA citizen apps.
How a Macksofy web app pentest engagement runs in Chennai.
Chennai web-application-security work breaks across four buyer profiles with distinct application surfaces. OMR (Old Mahabalipuram Road) SaaS unicorns and product companies face OWASP ASVS Level 3 + SOC 2 Type II + ISO 27001:2022 enterprise procurement standards. PSU bank customer-facing applications (net-banking, mobile-banking, customer-portal, branch-portal) face RBI Master Direction on IT Governance plus DFS circular cyber clauses. Auto OEM customer portals (Hyundai, Renault-Nissan, BMW dealer-portals and customer-engagement-portals) face IT-services-customer-procurement-driven control catalogues plus DPDP §16 cross-border overlay. TNeGA / Tamil Nadu state-government citizen-portal applications face CERT-In + DPDP + TNeGA + Tamil-language documentation requirements. Macksofy's Chennai AppSec practice runs all four playbooks from the Mumbai-and-Hyderabad dual-anchor bench with a Chennai-resident senior consultant for multi-quarter PSU bank programmes.
OMR SaaS AppSec follows the Bengaluru pattern at platform-level — OWASP ASVS Level 3 default, manual-first methodology, multi-tenant authz at every role boundary, identity-federation testing (SAML / OIDC / OAuth 2.0 with Okta / Entra ID / AWS Cognito), cloud-native testing (IaC misconfiguration, CI/CD pipeline trust, AWS / GCP / Azure IAM-and-KMS), and OWASP Top 10 for LLM Applications (2025) for AI surfaces. The OMR buyer profile is increasingly international-customer-focused — US Fortune 500 and EU enterprise customer base — so dual-format reporting (CERT-In + SOC 2 CC + ISO 27001:2022 + HIPAA + GDPR overlay) is the default.
PSU bank customer-app AppSec is the Chennai-specific lane. The scope traverses the customer-facing application surface — net-banking, mobile-banking, customer-portal, branch-portal — calibrated to PSU bank reality (heterogeneous platform mix with Finacle + BaNCS coexisting, 4,000-15,000 branch nodes, legacy mainframe-RACF on the back-end). Test surface covers transaction-graph abuse (velocity-control bypass, OTP reuse, beneficiary-add race, reconciliation drift), authorisation-matrix exercise role-by-role (customer / branch-officer / supervisor / treasury / mainframe-RACF integration roles), KYC-impersonation paths and (where the PSU bank offers Aadhaar-enabled digital onboarding) UIDAI Authentication Regulations 2016 evidence. Every finding maps to RBI Master Direction Annex-1 clauses and the DFS circular submission-format.
Auto OEM customer-portal AppSec layers in the customer-engagement-portal scope unique to Chennai. Hyundai dealer-portal, Renault-Nissan customer-engagement-portal, BMW customer-config-portal, Daimler Trucks fleet-customer-portal each face IT-services-customer-procurement-driven control catalogues from the foreign-OEM parent. Test surface covers customer authentication, customer-data isolation (so a customer cannot see another customer's vehicle or service history), payment-flow abuse paths, service-request authorisation, dealer-portal-to-OEM-back-end trust chain, and (where connected-vehicle integration is in scope) the customer-vehicle-data-isolation evidence the European customer-procurement function asks for.
TNeGA citizen-portal AppSec is the fourth playbook layer. Tamil Nadu e-Governance Authority (TNeGA), Aavin Dairy, Tamil Nadu state PSU customer-portals, citizen-services-portals and the Aadhaar AUA / KUA-enabled service surfaces face CERT-In + DPDP + TNeGA-specific monitoring and Tamil-language data-handling requirements. State-government citizen-portal AppSec engagements include Tamil-language frontend testing, Aadhaar AUA / KUA replay-resistance evidence per UIDAI Authentication Regulations 2016, and DPDP §16 cross-border-transfer-control evidence where citizen data routes outside Tamil Nadu's data-residency boundary.
Identity is a cross-cutting concern. OMR SaaS clients run hybrid identity with Okta or Microsoft Entra ID as central IDP. PSU bank clients run on-premises AD with mainframe-RACF integration. Auto OEM customer portals federate with the foreign-OEM parent's identity stack (typically Azure AD or Okta). TNeGA citizen-portal scopes federate with the central UIDAI / Aadhaar AUA / KUA infrastructure. The AppSec engagement tests federation trust paths end-to-end per scope — SCIM, SAML, OIDC, OAuth 2.0, JWT, Conditional Access, MFA — and the privileged-access path discovery that always exists.
Procurement reality matters. OMR SaaS AppSec engagements close through the CTO and head of customer security in a single weekly sync. PSU bank customer-app AppSec closes through the GM-IT and CISO with the bank's board-IT-committee secretary copied. Auto OEM customer-portal AppSec closes through the IT head with the foreign-OEM-customer cyber-security function copied. TNeGA / state-government engagements close through the procuring department's IT head with TN-eGA panel routing and Tamil-language deliverable agreement. Engagement length is typically 3-4 weeks for OMR SaaS, 5-7 weeks for PSU bank customer-app, 4-5 weeks for auto OEM customer-portal, and 4-5 weeks for TNeGA scope with Tamil-language overhead.
Onsite cadence — Mumbai → MAA flight is 90 minutes; Hyderabad → MAA flight is 60 minutes; drive from MAA to OMR is 45 minutes, to Tidel Park 30 minutes, to Sriperumbudur 90 minutes. Same-day onsite arrival is feasible from either anchor. For sustained PSU bank programmes we maintain a Chennai-resident senior analyst with a local mobile.
Five phases. Chennai timeline.
Every Macksofy web app pentest engagement in Chennai runs through the same phased protocol — adapted to Chennai-specific procurement, regulator and delivery realities.
- Joint kickoff with CTO + customer-security (OMR SaaS) / GM-IT + CISO (PSU bank) / IT head + customer cyber-security (auto OEM) / IT head + TNeGA panel (govt)
- Application inventory with authorisation-matrix and data-flow mapping per scope
- OWASP ASVS L3 + (PSU: RBI Master Direction Annex-1) + (auto OEM: ISO/SAE 21434) + (TNeGA: Tamil-language) catalogue selected
- Tamil-language deliverable agreement codified for state-government scope
- Authenticated and unauthenticated surface mapping with Burp Pro, Caido and Nuclei against staging and controlled prod
- Authorisation-matrix discovery role-by-role per scope (customer / branch-officer for PSU; tenant / role for SaaS; customer / dealer for auto OEM; citizen / officer for govt)
- Identity-federation footprint enumeration — SAML, OIDC, OAuth, JWT, Aadhaar AUA / KUA
- AI surface inventory — AI-customer-service-assistant, AI-recommendation, AI-citizen-services
- OMR SaaS — BOLA, tenant-bleed, IAM Pass Role, CI/CD trust, identity federation, LLM-application surfaces
- PSU bank — transaction-graph abuse, branch-portal authz, mainframe-RACF integration role-by-role
- Auto OEM — customer-data isolation, payment-flow abuse, dealer-portal-to-OEM-back-end trust chain
- TNeGA — citizen-portal authorisation, Aadhaar AUA / KUA replay, Tamil-language frontend abuse
- OMR SaaS — CERT-In + SOC 2 CC + ISO 27001:2022 Annex A + (where applicable) HIPAA + GDPR overlay
- PSU bank — RBI Master Direction Annex-1 + DFS submission-format for CSITE / DFS thematic review
- Auto OEM — ISO/SAE 21434 customer-data-protection clauses + customer-procurement-driven control catalogue
- TNeGA — CERT-In + DPDP + TNeGA submission-format with Tamil-language documentation
- Free re-test of every Critical and High inside the regulator / audit-window remediation period
- Joint readout with the engineering team at OMR / Tidel Park / Sriperumbudur / state-government office
- Findings exported to Linear / Jira / GitHub Issues with owner, severity, CWE and ETA
- Continuous-AppSec retainer offer for OMR SaaS clients with weekly release trains
Which Chennai verticals we deliver Web App Pentest for.
OMR SaaS unicorns
OMR product companies — OWASP ASVS L3 + SOC 2 + ISO 27001:2022 + DPDP §16 evidence on demand.
PSU bank customer-apps
Indian Bank / IOB / cooperative banks — net-banking / mobile-banking / branch-portal AppSec with RBI Master Direction Annex-1 closure.
Auto OEM customer portals
Hyundai / Renault-Nissan / BMW / Daimler Trucks customer-engagement portals — customer-data isolation + ISO/SAE 21434 clauses.
TNeGA citizen portals
Tamil Nadu state citizen-portals — Tamil-language frontend + Aadhaar AUA / KUA + DPDP §16 overlay.
Healthcare & clinical research
Chennai healthcare delivery and clinical research web platforms — HIPAA + DPDP §16 evidence on customer-facing apps.
BPO / IT services delivery centres
OMR / Tidel Park IT-services customer-facing applications — customer's third-party-AppSec-standard with TPRM drop-in.
The Chennai deliverable pack.
Every Chennai web app pentest engagement closes with the pack below — regulator-ready evidence, technical detail and board-readable summaries.
- OWASP ASVS L3 AppSec report with reproducible exploit code per High and Critical
- PSU bank RBI Master Direction Annex-1 + DFS submission-format AppSec pack
- Auto OEM ISO/SAE 21434 customer-data-protection clauses + customer-procurement evidence
- TNeGA + DPDP citizen-portal AppSec with Tamil-language documentation
- OMR SaaS CERT-In + SOC 2 CC + ISO 27001:2022 + HIPAA + GDPR dual-format report
- Aadhaar AUA / KUA replay-resistance evidence per UIDAI Authentication Regulations 2016 where applicable
- Reproducible exploit code (curl / Burp .req / Python) per High and Critical
- Free re-test of every Critical and High inside the regulator-defined remediation window
A Chennai web app pentest case study.
4-week OWASP ASVS L3 + LLM Top 10 (2025) + SOC 2 + ISO 27001:2022 + HIPAA + GDPR AppSec — 18 services in the platform, AWS hub-and-spoke topology, Okta IDP federation, GitHub Actions CI/CD, RAG-backed AI assistant; one OMR kickoff onsite and one closing readout
Three cross-tenant BOLA paths in the customer-API closed pre-disclosure; one indirect-prompt-injection-via-RAG path that allowed cross-customer FAQ leakage closed and corpus-isolation control redesigned; two GitHub Actions OIDC trust-misconfiguration paths closed at D+8; report shipped into the next SOC 2 Type II audit with zero customer-security-questionnaire follow-ups for the quarter; HIPAA Security Rule evidence pack accepted by two US-customer compliance functions; GDPR evidence pack accepted by one EU-customer DPO without rework.
Rated 4.9 ★ from 612 client reviews.
“We've worked with three Big 4 firms before Macksofy. None found what their team did in our payments stack. The most actionable report we've received in a decade.”
“The CHFI training Macksofy delivered for our cyber cell raised investigation quality measurably. Practical, India-context-aware, and respectful of our operational realities.”
“Came in with zero security background. 5 weeks later I was running Burp Suite and Metasploit confidently. Cleared CEH on the first attempt.”
Questions Chennai buyers ask before signing.
Other Macksofy engagements in Chennai.
Same engagement, other Macksofy metros.
Get a fixed-price proposal in 48 hours.
Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.
- CERT-In Empanelled
- EC-Council ATC · CompTIA Authorized
- 20,000+ professionals trained
- India + UAE engagements