Web Application Security in Mumbai · BFSI & Fintech

Mumbai web-application-security is the deepest single-domain practice we run — the BFSI customer-facing web and API surface is where the largest book-of-record value moves through Indian banking. The scope is structurally different from a broader VAPT (which covers infrastructure, network, AD, mainframe and OT in addition to web) and different from a scenario-led pentest (which is graded against a single objective). A Mumbai AppSec engagement is the application-layer-and-below depth: authentication, session, authorisation, transaction-flow, integration, third-party-trust-chain and the regulator-clause closure. Macksofy delivers from BKC with senior consultants who have shipped enough RBI / SEBI / IRDAI inspections to know the difference between a finding the inspector will read and a finding the inspector will discard.

Methodology defaults to OWASP ASVS Level 3 plus OWASP API Security Top 10 (2023) plus the BFSI-specific abuse-case catalogue Macksofy has accumulated across 200+ Mumbai engagements. Burp Suite Pro, Caido and Nuclei run as supporting infrastructure. Every High and Critical finding is manually validated with a reproducible exploit (curl, Burp .req, Python harness or proxy script) attached to the report. The deliverable is a regulator-grade binder the bank's audit committee chair reads at the quarterly cyber review — not a Burp HTML export.

Net-banking and mobile-banking web-application security has its own playbook. The transaction-graph end-to-end: customer authentication, OTP / 2FA challenge, beneficiary-add flow, IMPS / NEFT / RTGS / UPI rails, reconciliation-to-book-of-record, dispute-flow and the fraud-stack integration. Abuse-case testing on velocity-control bypass, OTP reuse via SS7-style mobile-side weaknesses, beneficiary-add race conditions, reconciliation-drift exploitation, IMPS dispute-fraud paths and the UPI VPA-spoofing surface. Every finding maps to RBI Master Direction on IT Governance, Risk, Controls and Assurance Practices (November 2023) Annex-1 clauses and the RBI Cyber Security Framework CSITE Cell submission format.

Broker-terminal and AMC web-platform scope is the second Mumbai sub-segment. SEBI-regulated broker web platforms (Zerodha-style Kite, equivalent broker-terminals), AMC investor-portal apps and the broker-OMS-to-exchange gateway. Test surface includes broker-authorisation matrix exercise (sub-broker, dealer, RM, customer roles), algo-API rate-limit bypass, market-data tampering on Refinitiv / Bloomberg feed-handlers, order-management-to-NSE / BSE gateway authorisation, and the SEBI CSCRF Annexure-K AppSec evidence (CCI / CRMM scoring requires application-layer evidence the inspector reads).

Payment-gateway and aggregator web-platform scope is third. RBI PA-PG licensees in BKC and Lower Parel run merchant-portal apps, payout-and-settlement APIs, dispute-flow systems and reconciliation-layer apps. AppSec scope here closes RBI Payment Aggregator and Payment Gateway Master Direction clauses through the application-layer evidence — payment-flow abuse cases (token replay, refund-race, settlement-spoof, payout-amount tampering, merchant-side payment-intent manipulation), partner-merchant-onboarding-API hygiene, KYC-vendor-integration trust chain and the merchant-portal authorisation matrix.

Insurer web-platform scope adds IRDAI overlay. Life and general insurer customer-facing apps (policy issuance, claims-intake, renewal flows), Policy Administration System (PAS) web modules and partner-agent portals. Test surface includes claims-fraud paths (OVD-tamper, multi-policy-stitching, beneficiary-impersonation), KYC-impersonation via OVD upload portals and the PAS authorisation matrix tested role-by-role. Every finding maps to IRDAI Information and Cyber Security Guidelines (April 2023) clauses for the insurer's next IRDAI cyber-supervision review.

MII platform scope is the rarest and most consequential. SEBI Market Infrastructure Institutions (NSE, BSE, NSDL, CDSL) and the clearing-corporation web platforms face the highest evidence-quality bar in Indian financial-services AppSec. Macksofy's Mumbai bench has shipped AppSec into MII and MII-adjacent platforms — the methodology runs deeper, the report format follows SEBI's MII-specific guidelines, and the engagement letter includes a no-data-exfiltration acknowledgement plus an explicit market-disruption-prevention clause.

Procurement reality matters. Mumbai BFSI AppSec procurement closes through the CISO, the AppSec lead and (for the larger banks) the chief technology officer in a single weekly sync, plus a one-page engagement letter from the General Counsel covering production safe-harbour and regulator-submission attribution. Engagement letters typically include a Bombay High Court jurisdiction clause and explicit no-data-exfiltration acknowledgement. Reports are encrypted, double-key delivered (Macksofy senior + CISO) and the master is destroyed inside 30 days of closure unless the bank requests retention. Onsite cadence — BKC walk-in same day for kickoff and exit; Andheri MIDC, Powai, Goregaon SEEPZ, Thane and Navi Mumbai reachable inside four hours. Engagement length is typically 4-6 weeks per AppSec scope, scaled by application count.