Security Requirements and Compliance

Security by Design and Partner Obligations

1. Security by Design Mandate
The partner shall incorporate security as a foundational principle
throughout the application’s design, development, and deployment
lifecycle. All security controls must adhere to industry standards such
as OWASP, NIST, and CIS, while addressing the categories outlined in
Annexure A: Security Vulnerability Requirements.

2. Compliance with Annexure A

The partner is contractually obligated to ensure the proposed solution
mitigates all vulnerabilities and risks enumerated in Annexure A.
Failure to address these requirements during development or post-
deployment will result in remediation costs being borne solely by the
partner.

3. Security Testing and Validation

The partner must conduct comprehensive security testing, including
Static Application Security Testing (SAST), Dynamic Application
Security Testing (DAST), penetration testing, and dependency scanning
through a Software Bill of Materials (SBOM) review. Documented
evidence of all security testing activities and vulnerability remediation
efforts must be provided. An internal (TML) and/or a third-party
security audit may be mandated prior to final acceptance.

4. Penalties for Non-Compliance

Post-deployment discovery of vulnerabilities listed in Annexure A,
including those introduced through patches, will require the partner to
resolve them at no additional cost in a time-bound manner depending
on severity and impact of the same. Critical vulnerabilities require a
detailed root cause analysis (RCA) and immediate remediation. The
partner is also expected to proactively monitor for emerging security
threats and ensure continued compliance with evolving security best
practices.
Failure to remediate identified vulnerabilities within the defined SLAs
will result in financial penalties per unresolved vulnerability per day,
mandatory external audits at the partner’s expense, and potential
contract termination in cases of repeated non-compliance.
Any deviations from Annexure A due to technical or business constraints
must be formally justified by the partner and approved by TML
representatives before implementation. This approval process applies to all
aspects of security design, compliance, testing, and remediation.

Annexure A: Security Vulnerability Requirements

1. Authentication & Authorization
Authentication and authorization mechanisms must be robust and
designed to prevent unauthorized access to sensitive information and
functionalities. Weak password policies, lack of multi-factor
authentication (MFA), and concurrent logins increase the risk of
credential-based attacks. Partners must implement strong
authentication methods, enforce session expiration, and prevent user
enumeration vulnerabilities. Email verification bypass and mobile OTP
bypass must be prevented by implementing strong validation
mechanisms.

2. API Security
APIs serve as a critical entry point to applications and must be secured
to prevent unauthorized access and data breaches. Partners must
ensure API keys are not exposed in client-side code, enforce
authentication on all sensitive endpoints, and apply strict rate limiting
to prevent abuse. Common issues such as Broken Object-Level
Authorization (BOLA), excessive data exposure, and using components
with known vulnerabilities must be mitigated.

3. Session Management
Proper session lifecycle management is crucial to prevent hijacking
and replay attacks. Sessions must be securely generated, stored, and
invalidated upon logout. Implementing HTTP-only and Secure flags on
cookies, setting appropriate session timeouts, and preventing token
reuse are essential measures. Concurrent logins shall be need-based.
Session persistence after logout must be strictly prohibited.

4. Data Encryption & Transport Security

Data at rest and in transit must be protected using strong encryption
standards. Outdated cryptographic algorithms, weak SSL/TLS ciphers,
and improper key management can lead to data exposure. Partners
must disable cleartext traffic and ensure secure key storage to prevent
 credential leaks. SSL pinning shall be used. SSL certificates must be
issued by trusted certificate authorities (CAs). Self-signed or expired
certificates must be rejected.

5. Input Validation & Sanitization

Unvalidated input can lead to severe security risks such as SQL
Injection, Cross-Site Scripting (XSS), and unrestricted file uploads.
Partners must implement strict input validation mechanisms, use
parameterized queries, and sanitize all user inputs to prevent injection
attacks and client-side exploits. File path travel vulnerabilities must be
identified and mitigated.

6. Security Headers & Headers Misconfiguration

Security headers play a critical role in mitigating common web
vulnerabilities. Missing headers such as Content-Security-Policy (CSP)
and HTTP Strict Transport Security (HSTS) can leave applications
vulnerable to XSS and MITM attacks. Properly configured Cross-Origin
Resource Sharing (CORS) policies must also be enforced. Header
injection attacks shall be prevented.

7. Access Control & Least Privilege

Access control mechanisms must ensure that users can only access
data and functionalities relevant to their roles. Insecure Direct Object
References (IDOR), excessive privileges, and improperly exposed HTTP
methods can result in unauthorized actions. Partners must enforce the
principle of least privilege and continuously audit role-based access
controls. All unnecessary HTTP methods, such as OPTIONS, PUT, and
DELETE, should be disabled unless explicitly required. APIs must
enforce strict method-based access controls. Privilege escalation
vulnerabilities shall be prevented.

8. Rate Limiting & Brute Force Protection

Applications and APIs must implement rate limiting to prevent abuse,
particularly on authentication endpoints. Without rate limiting,
attackers can execute brute force and enumeration attacks. Partners
must apply strict limits on login attempts, OTP requests, and API
usage. Exponential backoff and CAPTCHA should be implemented for
authentication, password reset, and high-risk transactions to prevent
automated attacks. OTP brute-force attack must be prevented.
9. Third-Party Components & Dependency Management
Third-party libraries and components must be regularly updated and
monitored for vulnerabilities. The use of outdated components with
known CVEs can introduce security weaknesses. Partners must
maintain an up-to-date Software Bill of Materials (SBOM) and regularly
patch dependencies.

10. Cloud & Container Security

Cloud-based applications and containerized environments must adhere
to security best practices. Misconfigured storage buckets, overly
permissive IAM roles, and unverified container images can expose
critical data. Partners must implement secure cloud storage
configurations and enforce IAM policies.

11. Mobile-Specific Security

Mobile applications present unique security challenges, including
insecure local storage, SSL pinning bypass, and exported activities.
Partners must ensure that mobile applications do not store sensitive
data in plaintext, enforce root detection mechanisms, and protect API
communication.

12. Server & Network Hardening

Server and network configurations must be hardened to reduce attack
surfaces. Unnecessary open ports, weak firewall rules, sensitive
directory listing, excessive information disclosure and outdated TLS
versions can expose the infrastructure to attacks. Partners must
regularly review and apply best practices for network security.

13. Secure Coding & Code Hygiene

Secure coding practices must be enforced throughout the development
lifecycle. Hardcoded credentials, lack of obfuscation, and inadequate
logging can introduce security risks. Partners must follow secure
coding guidelines and conduct regular code reviews.

14. Insider Threat & Social Engineering

Insider threats and social engineering attacks must be mitigated
through strict internal security controls and employee awareness
programs. Partners must enforce MFA, conduct security awareness
training, and monitor for suspicious activities.