SetuBond is an enterprise-grade corporate bond trading platform built with security-by-design principles. We implement multi-layered security controls to protect user data, financial transactions, and platform integrity while maintaining regulatory compliance with Indian financial laws.

• Zero Trust Architecture - Never trust, always verify
• Defense in Depth - Multiple security layers
• Least Privilege Access - Minimum necessary permissions
• Data Privacy by Design - Built-in privacy protection
• Continuous Monitoring - Real-time threat detection

We take security seriously. If you discover a security vulnerability, please follow our responsible disclosure process:

Email: security@example.com

• Use PGP encryption (key available on request)
• Include "SECURITY VULNERABILITY" in subject line
• Response time: 24 hours
• Fix timeline: 7-14 days

GitHub: Private Vulnerability Report

• Response time: 72 hours
• Fix timeline: 30 days

• ❌ Do not publicly disclose vulnerabilities
• ❌ Do not access or modify user data
• ❌ Do not perform DoS attacks
• ❌ Do not engage in social engineering

We recognize security researchers with:

• Hall of Fame listing (with permission)
• Acknowledgment in release notes
• Swag and certificates for significant findings

┌─────────────────────────────────────────┐
│              CDN & DDoS Protection      │
├─────────────────────────────────────────┤
│          Load Balancer & WAF            │
├─────────────────────────────────────────┤
│        API Gateway (Rate Limiting)      │
├─────────────────────────────────────────┤
│           Authentication Layer          │
├─────────────────────────────────────────┤
│          Microservices (mTLS)           │
├─────────────────────────────────────────┤
│        Database Encryption Layer        │
├─────────────────────────────────────────┤
│         Network Security (VPC)          │
└─────────────────────────────────────────┘

• SMS OTP - Primary mobile verification
• TOTP Apps - Google Authenticator, Authy support
• Hardware Tokens - FIDO2/WebAuthn for high-value accounts
• Biometric - Fingerprint/Face ID on mobile apps

• Access Tokens: 15-minute expiry
• Refresh Tokens: 7-day expiry with rotation
• Secure Storage: HttpOnly cookies with SameSite
• Token Blacklisting: Immediate revocation capability

enum UserRoles {
  RETAIL_INVESTOR = 'RETAIL_INVESTOR',
  INSTITUTIONAL_INVESTOR = 'INSTITUTIONAL_INVESTOR', 
  TRADER = 'TRADER',
  COMPLIANCE_OFFICER = 'COMPLIANCE_OFFICER',
  ADMIN = 'ADMIN'
}

enum Permissions {
  READ_ORDERS = 'READ_ORDERS',
  CREATE_ORDERS = 'CREATE_ORDERS',
  CANCEL_ORDERS = 'CANCEL_ORDERS',
  VIEW_PORTFOLIO = 'VIEW_PORTFOLIO',
  ADMIN_PANEL = 'ADMIN_PANEL'
}

• Database: AES-256 encryption with AWS KMS
• File Storage: AES-256 with customer-managed keys
• Backups: Encrypted with separate key rotation
• Blockchain: Native Ethereum encryption

• TLS 1.3 for all client communications
• mTLS for inter-service communication
• IPSec VPN for administrative access
• End-to-end encryption for sensitive operations

• Application-level encryption for sensitive fields
• Secure enclaves for cryptographic operations
• Memory protection with secure allocation
• Zero-copy operations to minimize exposure

• Private Subnets - No direct internet access for backend
• Network ACLs - Layer 4 traffic filtering
• Security Groups - Layer 7 application firewalls
• NAT Gateways - Controlled outbound internet access

• Rate Limiting - 1000 req/min per user, 10 orders/sec trading
• DDoS Protection - AWS CloudFront and Shield
• Input Validation - Strict schema validation with Joi
• CORS Policy - Restricted origins for web requests

• Image Scanning - Trivy scans for vulnerabilities
• Resource Limits - CPU/Memory constraints
• Network Policies - Kubernetes pod-to-pod restrictions
• Service Mesh - Istio for secure communication

• Minimum length: 12 characters
• Complexity: Letters, numbers, symbols required
• History: Cannot reuse last 12 passwords
• Expiry: 90 days for admin accounts
• Lockout: 5 failed attempts = 30-minute lockout

• Session Timeout: 30 minutes inactivity
• Concurrent Sessions: Max 3 per user
• Device Tracking: Login notifications and device management
• Geographic Restrictions: Unusual location alerts

• Admin Accounts: Separate from regular accounts
• Just-in-Time Access: Temporary privilege escalation
• Session Recording: All admin activities logged
• Break-glass Access: Emergency procedures documented

• Static Analysis: SonarQube, ESLint security rules
• Dependency Scanning: Snyk for vulnerable packages
• Code Review: Mandatory peer review for all changes
• Secret Scanning: GitGuardian for exposed credentials

• Unit Tests: 95%+ coverage including security tests
• Integration Tests: API security and authentication flows
• Penetration Testing: Quarterly by certified ethical hackers
• Load Testing: Performance under stress conditions

• Container Images: Distroless base images, minimal attack surface
• Infrastructure as Code: Terraform with security scanning
• Zero-Downtime Deployments: Blue-green deployment strategy
• Rollback Capability: Instant rollback on security issues

• SIEM Integration - Centralized log analysis with ELK stack
• Anomaly Detection - ML-powered behavioral analysis
• Threat Intelligence - Integration with threat feeds
• Security Alerts - Automated notification system

• Market Manipulation Detection - Real-time pattern analysis
• Wash Trading Alerts - Cross-reference trading patterns
• Unusual Activity Monitoring - Statistical deviation alerts
• Regulatory Reporting - Automated SEBI compliance reports

• Security Lead - Overall incident coordination
• Technical Lead - System investigation and remediation
• Compliance Officer - Regulatory reporting and legal
• Communications - User and stakeholder notifications

1. Detection (0-15 mins) - Automated alerts and manual reporting
2. Assessment (15-30 mins) - Severity classification and impact analysis
3. Containment (30-60 mins) - Isolate affected systems and prevent spread
4. Investigation (1-4 hours) - Root cause analysis and evidence collection
5. Remediation (4-24 hours) - Fix vulnerabilities and restore services
6. Recovery (24-72 hours) - Full service restoration and monitoring
7. Post-Incident (3-7 days) - Lessons learned and process improvements

• Online Bond Platform Provider (OBPP) registration required
• Trade Reporting - Real-time transaction reporting
• Audit Trail - Complete record of all activities
• Risk Management - Position limits and exposure monitoring

• KYC Compliance - Digital verification with DigiLocker
• AML Monitoring - Suspicious transaction reporting
• Data Localization - All customer data stored in India
• Cross-border Transactions - FEMA compliance monitoring

• Personal Data Protection Bill - Privacy by design implementation
• GDPR Compliance - For international users
• Data Retention - Automated deletion policies
• Consent Management - Granular permission controls

• Monthly - Security control effectiveness
• Quarterly - Compliance with policies and procedures
• Semi-annually - Business continuity and disaster recovery
• Annually - Comprehensive security assessment

• SOC 2 Type II - Annual security and availability assessment
• ISO 27001 - Information security management certification
• PCI DSS - Payment card security compliance (if applicable)
• Penetration Testing - Quarterly third-party security testing

// ✅ Good - Strict validation
const validateOrderInput = (input: any) => {
  const schema = Joi.object({
    bondId: Joi.string().required().pattern(/^[A-Z0-9]{12}$/),
    quantity: Joi.number().min(1).max(1000000).required(),
    price: Joi.number().min(0.01).max(100000).precision(2).required()
  });
  return schema.validate(input);
};

// ❌ Bad - No validation
const processOrder = (input: any) => {
  return database.query(`INSERT INTO orders VALUES (${input.bondId})`);
};

// ✅ Good - Verify permissions
const requirePermission = (permission: Permission) => {
  return (req: Request, res: Response, next: NextFunction) => {
    if (!req.user?.hasPermission(permission)) {
      return res.status(403).json({ error: 'Insufficient permissions' });
    }
    next();
  };
};

// Usage
app.post('/orders', 
  authenticateToken, 
  requirePermission(Permission.CREATE_ORDERS), 
  createOrder
);

// ✅ Good - Encrypt sensitive data
const encryptPAN = (pan: string): string => {
  return crypto.encrypt(pan, process.env.PAN_ENCRYPTION_KEY);
};

// ✅ Good - Mask in logs
const logTradeData = (trade: Trade) => {
  logger.info('Trade executed', {
    tradeId: trade.id,
    userId: trade.userId.substring(0, 8) + '***',
    amount: trade.amount,
    // Never log: PAN, account numbers, passwords
  });
};

# ✅ Good - Use environment variables
DATABASE_URL="encrypted_connection_string"
JWT_SECRET="generated_256_bit_key"
API_KEYS="vault_managed_keys"

# ❌ Bad - Hardcoded secrets
const API_KEY = "hardcoded_key_in_source";

// ✅ Good - Parameterized queries
const getUserOrders = async (userId: string) => {
  return database.query(
    'SELECT * FROM orders WHERE user_id = $1', 
    [userId]
  );
};

// ❌ Bad - SQL injection risk
const getUserOrders = async (userId: string) => {
  return database.query(
    `SELECT * FROM orders WHERE user_id = '${userId}'`
  );
};

• Security Team: security@example.com
• On-call Phone: +91-XXXX-XXXXX (24/7)
• Incident Hotline: Available via internal Slack #security-incidents

• Security Policies: Internal wiki (authenticated access)
• Training Materials: Security awareness portal
• Threat Intelligence: Daily briefings via security@company.com
• Compliance Updates: Quarterly newsletters and webinars

• New Employee - Mandatory security orientation
• Developer - Secure coding practices workshop
• Compliance - Regulatory requirements training
• Incident Response - Tabletop exercises quarterly

• OWASP Top 10
• NIST Cybersecurity Framework
• SEBI Guidelines
• RBI Cybersecurity Framework

• Version: 1.0
• Last Updated: September 3, 2025
• Next Review: December 3, 2025
• Owner: Security Team
• Approved By: Chief Security Officer

9 10