Layer7 API Management

So I am trying to use as as many assertions (in this category) as possible but I am constantly running into false positives and basically ended up using just a handful that applies across all our policies/Services. Is this the same experience for others? Did you custom apply these per policy vs global fragment of these assertions? I am not sure what is the "good enough" to "not enough" to "Yes, this is ideal".

I have seen this with a lot of customers. Older API calls mostly violate newer security checks. What I recommend is using those assertions in a "non-intrusive" mode with logging only. This will give the customer a sense what they need to change in their applications calling those API's and then gradually based on the log analysis switch some of them to active.

Hi Michael,

We're facing exactly the same issue, too many false positives e.g. for SQL injection so we generally need to turn it off. A "learning mode" as suggested by you with logging only would be great.

We see our API Gateway similar to a WAF for webapplication, both are exposed directly to the internet and must be capable of performing advanced threat protection. But today we don't have the same possibilities on CA API Gateway as on WAF's. So our customers challenge us to put the gateway behind a WAF which introduces operational issues like because two components must be adjusted for API deployments, mutual SSL is not possible anymore, etc.

Hi Peter,

we are in the process replacing a WAF with the gateway for one of my clients. Right now the gateway is positioned before the WAF with all Thread-protection assertions on in logging mode to see what thread are coming in. Next step will be analyzing the logs and activating the appropriate assertions. Once this is done they will de-commision the WAF.