Why Indian SMBs Must Secure APIs Before the Next Breach Hits

The Real Cost of Ignoring API Security

APIs are the nervous system of every modern Indian business—from UPI payment integrations to mobile app backends to third-party data feeds. They're also the most overlooked attack surface in the Indian SMB landscape.

The Digital Personal Data Protection (DPDP) Act now mandates breach notification within 6 hours. No grace period. No exceptions. Yet most Indian SMBs have zero visibility into their API attack surface. Every week, breaches trace back to a single unprotected API endpoint—credentials leaked on GitHub, SQL injection vectors left open, or authentication tokens exposed in logs.

What's Actually Happening in Indian Tech

The Indian tech ecosystem is experiencing rapid digital transformation—but security isn't keeping pace. New-age businesses are extending their infrastructure at breakneck speed, spinning up cloud services, building integrations, and deploying APIs without the security rigor that enterprise teams apply.

The pattern is consistent:

1. Rapid API Proliferation: SMBs build 3-5 new APIs per quarter to support mobile apps, partner integrations, and cloud migrations. Each one is a potential attack surface.
2. Invisible Inventory: Most teams can't list all their APIs. When asked "How many REST endpoints do you have in production?" the answer is usually "Around 20." It's typically 87.
3. Authentication Debt: APIs are often built with basic auth, hardcoded tokens, or no authentication at all.
4. Compliance Blind Spot: The DPDP Act doesn't care if your API is "internal only." If it processes personal data—and it does—you're liable. The 6-hour notification clock starts the moment you discover the breach.

The Technical Reality: How APIs Get Breached

graph TD
    A["Attacker Discovers Unprotected API"] -->|Reconnaissance| B["Enumerate Endpoints"]
    B -->|Exploitation| C["Bypass Authentication"]
    C -->|Access| D["Extract Personal Data"]
    D -->|Exfiltration| E["Sell on Dark Web"]
    F["Victim Discovers Breach"] -->|6-hour clock starts| G["DPDP Notification Required"]
    H["CERT-In Report Due"] -->|Parallel| G
    style A fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style D fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style E fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style G fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style H fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0

The Typical Attack Flow

Step 1: Discovery Attackers use automated tools (Shodan, Google dorking, GitHub scanning) to find exposed APIs, looking for:

1. Swagger/OpenAPI documentation exposed publicly
2. API endpoints in JavaScript files
3. Credentials in git history
4. Error messages that reveal backend structure

# Simple curl request to test API response
curl -X GET https://api.yourcompany.in/v1/users \
  -H "Content-Type: application/json"

# If this returns user data without auth, you have a problem

Step 3: Exploitation Common vectors include:

1. No authentication: API accepts requests without tokens
2. Weak auth: Hardcoded keys, predictable tokens, expired keys still accepted
3. SQL Injection: GET /api/users?id=1' OR '1'='1
4. IDOR (Insecure Direct Object Reference): GET /api/customers/123/data → GET /api/customers/124/data
5. Missing rate limiting: Brute force attacks succeed

1. Notify affected individuals (DPDP Act)
2. Notify CERT-In (if it's a significant breach)
3. Document everything for RBI (if you handle financial data)
4. Prepare for potential penalties under the DPDP Act

Why Indian Businesses Are Particularly Vulnerable

1. API Sprawl Without Governance

Companies build APIs for mobile app backends, partner integrations, internal dashboards, third-party vendor access, and legacy system bridges—but there's no central registry. No one knows all the endpoints, and no one owns the security.

2. Compliance Confusion

The DPDP Act is relatively new, and many SMBs still believe:

1. "We're too small to be a target" — False. Attackers use automation and target everyone.
2. "Our data isn't sensitive" — Personal data is covered. Period.
3. "We'll secure it next quarter" — You have 6 hours once breached.

3. Resource Constraints

Unlike enterprises with dedicated security teams, SMBs have one DevOps engineer wearing five hats, limited budget, pressure to ship features, and no time for security audits.

How to Protect Your APIs Right Now

Layer 1: Inventory & Visibility

# Find all APIs in your AWS account
aws apigateway get-rest-apis --query 'items[*].[name,id]' --output table

# Find all exposed services in Kubernetes
kubectl get svc -A | grep -E 'LoadBalancer|NodePort'

# Scan for exposed Swagger/OpenAPI docs
curl -s https://yourcompany.in/.well-known/swagger.json

Layer 2: Authentication & Authorization

// Node.js example using express-oauth2-jwt-bearer
const { auth } = require('express-oauth2-jwt-bearer');

const checkJwt = auth({
  audience: 'https://api.yourcompany.in',
  issuerBaseURL: 'https://yourcompany.auth0.com',
});

app.get('/api/customers', checkJwt, (req, res) => {
  // Only authenticated requests reach here
  res.json({ data: 'sensitive' });
});

Layer 3: Input Validation

from flask import Flask, request
from flask_restx import Api, Resource

app = Flask(__name__)
api = Api(app)

@api.route('/api/users/<int:user_id>')
class User(Resource):
    def get(self, user_id):
        if not isinstance(user_id, int) or user_id < 1:
            return {'error': 'Invalid user ID'}, 400
        current_user = get_current_user(request.headers)
        if current_user.id != user_id and not current_user.is_admin:
            return {'error': 'Unauthorized'}, 403
        return get_user_data(user_id)

Layer 4: Logging & Monitoring

# Enable audit logging for API access (AWS CloudTrail example)
aws cloudtrail create-trail --name api-audit-trail \
  --s3-bucket-name my-audit-logs

Set up alerts for:

1. High request volume from single IP
2. Failed auth attempts > 10 in 5 minutes
3. Unusual data extraction patterns

Layer 5: DPDP Act Compliance Documentation

# Example data flow documentation
API: /api/customers/{id}
Data Accessed: name, email, phone, address (personal data)
Authentication: OAuth 2.0 JWT token
Authorization: User can only access their own data
Logging: All requests logged with timestamp, user ID, response code
Retention: Logs retained for 90 days (DPDP requirement)
Encryption: TLS 1.2+ for transit, AES-256 at rest

The Regulatory Context: DPDP Act & CERT-In

The DPDP Act, which came into force in August 2023, requires:

1. 6 hours to notify individuals of a breach
2. Notification to CERT-In for significant incidents
3. Penalties for repeated violations reaching up to ₹250 crore under the full enforcement framework
4. "Significant" breach: 1,000+ records or sensitive data categories including biometrics and financial data

This means your API security strategy is your compliance strategy. The two cannot be separated.

How Bachao.AI Detects These Vulnerabilities

Bachao.AI by Dhisattva AI Pvt Ltd built its API security product specifically for the Indian regulatory environment. The platform scans your REST and GraphQL endpoints for:

1. Missing authentication mechanisms
2. Weak token validation (expired keys, predictable patterns)
3. SQL injection and IDOR vulnerabilities
4. Exposed sensitive data in API responses
5. Missing rate limiting
6. Insecure CORS configurations

Bachao.AI also integrates with your existing tools—GitHub for secret scanning in repos, AWS/GCP/Azure for API Gateway configuration audits, Postman for collection-based automated testing.

Real Example: What We Found Last Month

One Indian SMB client had built a customer data API for their mobile app. It had OAuth 2.0 tokens, HTTPS, and decent logging—it looked secure on the surface.

Our API Security scan found:

1. Missing rate limiting: 10,000 requests/second possible
2. IDOR vulnerability: Customer 123 could access customer 124's data
3. Exposed Swagger docs: Full API schema at /api/docs with no auth required
4. Hardcoded credentials: Database password appearing in error messages

Your Action Plan This Week

Day 1: Inventory

grep -r "@app.route" . --include="*.py"   # Flask
grep -r "app.get\|app.post" . --include="*.js"  # Express
kubectl get svc -A                         # Kubernetes
aws apigateway get-rest-apis               # AWS

Day 2: Audit

1. Try accessing APIs without credentials
2. Review error messages for sensitive information leaks
3. Check rate limiting by testing endpoint spam
4. Verify HTTPS: curl -I https://yourapi.com

1. Implement OAuth 2.0 or API key authentication
2. Add input validation and rate limiting
3. Enable audit logging
4. Document data flows for DPDP compliance

Frequently Asked Questions

Q: How do I quickly find all APIs in my codebase? A: Use grep for route decorators in your framework (@app.route for Flask, @GetMapping for Spring, app.get/post for Express). For deployed infrastructure, check AWS API Gateway console, Kubernetes service listings, or your nginx/Apache config for proxy_pass entries.

Q: Is a REST API covered by the DPDP Act if it only processes internal employee data? A: Yes. The DPDP Act covers personal data of employees as well as customers. Any API that handles names, emails, mobile numbers, IP addresses, or location data—regardless of whether it's internal or external—is within scope.

Q: What's the minimum authentication standard CERT-In expects for production APIs? A: CERT-In's guidelines reference OWASP API Security Top 10 as a baseline. This means: no unauthenticated endpoints processing personal data, token expiry enforced, rate limiting on all endpoints, and audit logs retained for at least 180 days.

Q: We use API keys. Is that sufficient? A: API keys are better than nothing, but have significant weaknesses—they don't expire, can be embedded in client-side code, and don't provide user-level identity. For APIs processing personal data under DPDP, OAuth 2.0 with short-lived JWT tokens is the recommended minimum standard.

Protect your business with Bachao.AI — India's automated vulnerability assessment and penetration testing platform. Get a comprehensive security scan of your web applications and infrastructure. Visit Bachao.AI to get started.

Written by Shouvik Mukherjee, Founder of Bachao.AI. Follow on LinkedIn for daily cybersecurity insights for Indian businesses.