Web Application Security in Delhi · Government & Fintech

Delhi web-application-security demand is overwhelmingly driven by central-government, PSU bank and ministry citizen-portal scope — Aadhaar AUA / KUA-enabled applications, DigiLocker-integrated services, APIGW-of-India inter-ministry consumers, regional-language Bhashini frontends, and the customer-facing citizen-service portals that drive the Digital India ecosystem. The secondary buyer profile is Delhi-NCR fintech in the Connaught Place / Karol Bagh / Saket corridor running RBI master-direction-aligned applications. Macksofy operates a GeM-listed AppSec capability with Delhi-resident bid-desk + Indian-soil-only delivery option for defence-adjacent ministry scope.

Central-government citizen-portal AppSec is the headline lane. The scope traverses authentication and identity (often Aadhaar-enabled), authorisation matrix (citizen / officer / supervisor / departmental-admin roles), regional-language frontend testing (Hindi + Bhashini regional-language frontends carry their own abuse surface), Aadhaar AUA / KUA integration trust-chain (UIDAI Authentication Regulations 2016 evidence), DigiLocker integration (MeitY partner-onboarding checklist), and APIGW-of-India consumer-side authentication and consent-and-purpose-binding compliance. We test biometric-replay resistance, eKYC consent-flow integrity, virtual-ID handling, audit-log retention compliance, and the citizen-data-export-anomaly paths the inspector cares about.

PSU bank customer-app AppSec mirrors our Chennai PSU bank AppSec practice. The scope traverses the customer-facing application surface — net-banking, mobile-banking, customer-portal, branch-portal — calibrated to PSU bank reality (heterogeneous platform mix with Finacle + BaNCS coexisting, 4,000-15,000 branch nodes, legacy mainframe-RACF on the back-end). Test surface covers transaction-graph abuse, authorisation-matrix exercise role-by-role, KYC-impersonation paths, Aadhaar-enabled digital onboarding evidence, and the GeM-procurement-format submission readiness for the bank's annual CSITE Cell evidence cycle.

Ministry-adjacent SaaS and IT-services AppSec adds a third sub-playbook. Several private-sector SaaS and IT-services majors operate ministry-and-PSU-adjacent customer-facing platforms — e-governance vendors, e-procurement integrators, government-payments aggregators, citizen-services platforms operated under PPP arrangements. The AppSec scope covers the customer-facing application surface with both the ministry's expectations (CERT-In + DPDP + Aadhaar AUA / KUA) and the private-sector procurement standards (OWASP ASVS L3 + SOC 2 + ISO 27001:2022) crosswalked. Dual-format reporting from one engagement is standard.

Delhi-NCR fintech AppSec follows the Mumbai BFSI playbook adapted for Delhi-NCR buyer reality. The Connaught Place / Karol Bagh / Saket fintech corridor and Greater-Kailash / South-Extension lending fintech operate RBI master-direction-aligned applications. The scope covers RBI PA-PG (for payment-aggregator licensees), RBI Digital Lending Guidelines (for lending fintech), Aadhaar AUA / KUA / DigiLocker / account aggregator integration trust chains, KYC vendor trust chain, and the inspector-readable submission-format Delhi-NCR fintech needs at the next CSITE / DPSS thematic review.

Defence-adjacent AppSec scope adds Indian-soil-only delivery and Indian-passport-only senior consultant requirements (same model as our Delhi SOC defence-adjacent capability). Engagement runs from the Indian-soil-only delivery floor with attestation that satisfies the procuring department's information-security policy. No-cloud-data-transfer and India-soil-only-data-residency clauses are honoured in the engagement letter.

AI / LLM application security has become standard for both ministry and fintech scope in 2026. Ministries are deploying citizen-facing LLM customer-service assistants (multi-lingual via Bhashini), AI document-processing for grievance-redressal, and AI-driven decision-support for officer roles. Fintechs are deploying customer-service LLMs, AI KYC document-processing, AI fraud-detection / underwriting. OWASP Top 10 for LLM Applications (2025) is the default catalogue. For ministry scope, the LLM application surface also faces specific Indian-context citizen-impersonation and regional-language prompt-injection abuse paths that generic LLM-AppSec vendors miss.

Procurement reality matters. Central-government / ministry AppSec engagements close through GeM with the empanelment certificate + GeM seller-ID + comparable-engagement experience as the three levers. PSU bank AppSec closes through the GM-IT + CISO + board-IT-committee secretary. Delhi-NCR fintech AppSec closes through the CTO + AppSec lead in faster CTO-and-AppSec-lead signoff cycles. Engagement length is typically 4-5 weeks for ministry citizen-portal AppSec, 5-7 weeks for PSU bank customer-app AppSec, 3-4 weeks for Delhi-NCR fintech, 4-6 weeks for ministry-adjacent SaaS dual-format.

Onsite cadence — Mumbai → DEL flight is 2 hours; Aerocity → Connaught Place / ITO / Bhavan-area is 30 minutes; total mobilisation inside 3 hours. Engagements include one onsite kickoff and one onsite closing readout with the remainder running remote. For sustained ministry programmes we maintain a Delhi-resident lead consultant.