ObjectSecurity is an information technology company focusing on

information security Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorize ...

(

model-driven security Model-driven security (MDS) means applying model-driven approaches (and especially the concepts behind model-driven software development) to security. Development of the concept The general concept of Model-driven security in its earliest forms ...

, fine-grained

access control In the fields of physical security and information security, access control (AC) is the selective restriction of access to a place or other resource, while access management describes the process. The act of ''accessing'' may mean consuming ...

middleware Middleware is a type of computer software that provides services to software applications beyond those available from the operating system. It can be described as "software glue". Middleware makes it easier for software developers to implement co ...

security), supply chain risk analysis, data analytics, and artificial intelligence. The company pioneered the development of

, which was mostly an academic concept prior to the company's developments. The company is best known for their ''OpenPMF'' (Open Policy Management Framework)

product, security policy automation product for which the company received a "''Cool Vendor''" award from

Gartner Gartner, Inc is a technological research and consulting firm based in Stamford, Connecticut that conducts research on technology and shares this research both through private consulting as well as executive programs and conferences. Its clients ...

in 2008. In recent years, ObjectSecurity diversified into supply-chain risk-analysis automation for which the company was selected "''Finalist''" by

AFWERX AFWERX is a United States Air Force program with the goal of fostering a culture of innovation within the service. Encompassing a number of programs supported with relatively small amounts of funding, the initiative is intended to circumvent burea ...

in 2019, and vulnerability assessment & pentesting automation.

History

ObjectSecurity was founded in 2000 by information security experts, Ulrich Lang and Rudolf Schreiner. At that time, Lang was a researcher at the

University of Cambridge , mottoeng = Literal: From here, light and sacred draughts. Non literal: From this place, we gain enlightenment and precious knowledge. , established = , other_name = The Chancellor, Masters and Schola ...

Computer Laboratory A computer lab is a space where computer services are provided to a defined community. These are typically public libraries and academic institutions. Generally, users must follow a certain user policy to retain access to the computers. This us ...

, working on "Access Policies for

Middleware Middleware is a type of computer software that provides services to software applications beyond those available from the operating system. It can be described as "software glue". Middleware makes it easier for software developers to implement co ...

", and both were working as independent information security consultants. Initially, ObjectSecurity was mainly working on customer projects around

security, esp. CORBA, but they quickly remarked that it was not possible to author and maintain security configurations for interconnected, distributed application environments. In an attempt to solve this challenges, the team built a full OMG CORBA Security SL3 & SSLIOP open source implementation based on

MICO People * Mićo Janić (born 1979), Croatian sprint canoer * Mićo Ljubibratić (1839–1889), Serbian revolutionary * Mico Palanca (1978–2019), Filipino actor * Mićo Smiljanić (born 1974), Serbian/Montenegrin footballer * Mićo Stanišić (born ...

CORBA.

Security Policy Automation

To solve various challenges around implementing secure distributed systems, ObjectSecurity released OpenPMF version 1, at that time one of the first

Attribute Based Access Control Attribute-based access control (ABAC), also known as policy-based access control for IAM, defines an access control paradigm whereby a subject's authorization to perform a set of operations is determined by evaluating attributes associated with the ...

(ABAC) products in the market. It allowed the central authoring of access rules, and the automatic enforcement across all middleware nodes using local decision/enforcement points. Thanks to the support of several EU funded research projects, ObjectSecurity found that a central ABAC approach alone was not a manageable way to implement security policies. ObjectSecurity released OpenPMF version 2. It is based on a concept called

which allows the intuitive, business-centric specification of security requirements and the automatic generation of enforceable securities policies. OpenPMF version 2 was designed to bridge the semantic gap between the policies that users manage, and the policies that are technically implemented. At the time of the release of OpenPMF version 2,

was tied together with a model-driven development process for applications, especially for agile

service oriented architecture In software engineering, service-oriented architecture (SOA) is an architectural style that focuses on discrete services instead of a monolithic design. By consequence, it is also applied in the field of software design where services are provided ...

(SOA). After years of publishing and presenting the scientific and technical approach, some analyst firms, such as

took note of the scientific approach. Several other awards and recognition followed. OpenPMF version 3 was released in 2010, supporting advanced policies,

Eclipse An eclipse is an astronomical event that occurs when an astronomical object or spacecraft is temporarily obscured, by passing into the shadow of another body or by having another body pass between it and the viewer. This alignment of three ce ...

cloud In meteorology, a cloud is an aerosol consisting of a visible mass of miniature liquid droplets, frozen crystals, or other particles suspended in the atmosphere of a planetary body or similar space. Water or various other chemicals may co ...

BPMN Business Process Model and Notation (BPMN) is a graphical representation for specifying business processes in a business process model. Originally developed by the Business Process Management Initiative (BPMI), BPMN has been maintained by the Ob ...

, SOA,

XACML XACML stands for "eXtensible Access Control Markup Language". The standard defines a declarative fine-grained, attribute-based access control policy language, an architecture, and a processing model describing how to evaluate access requests a ...

, pub-sub/DDS, and numerous additional enforcement points. ObjectSecurity also extended their

approach to include automatic compliance/accreditation analysis and evidence generation In 2009, ObjectSecurity set up an independent legal entity in

California California is a U.S. state, state in the Western United States, located along the West Coast of the United States, Pacific Coast. With nearly 39.2million residents across a total area of approximately , it is the List of states and territori ...

, United States to be closer to their US-based customers. In recent years, ObjectSecurity has extended OpenPMF to support automatic system detection, automated formal testing, virtual reality support, API server etc., enabling security policy automation without the need to install local agents, and allowing the use of

without the need for a model-driven development. OpenPMF's support for advanced access control models including proximity-based access control, PBAC was also further extended. In 2017, ObjectSecurity released OpenPMF version 4.0, which includes a new browser-based user interface, cloud support, and numerous other features.

Supply Chain Risk Analysis Automation

In 2019, ObjectSecurity released a beta version of a

United States Navy The United States Navy (USN) is the maritime service branch of the United States Armed Forces and one of the eight uniformed services of the United States. It is the largest and most powerful navy in the world, with the estimated tonnage ...

SBIR The Small Business Innovation Research (or SBIR) program is a U.S. government funding program, coordinated by the Small Business Administration, intended to help certain small businesses conduct research and development (R&D). Funding takes the ...

funded Supply Chain Risk Analysis Management Solution (SCRAMS), which analyzes procurement information from

SAP Sap is a fluid transported in xylem cells (vessel elements or tracheids) or phloem sieve tube elements of a plant. These cells transport water and nutrients throughout the plant. Sap is distinct from latex, resin, or cell sap; it is a separa ...

and other sources for anomalies indicating supply chain risks.

Vulnerability Assessment & Pen-Testing Automation (VAPT)

In 2019, ObjectSecurity released an alpha version of a U.S.

funded VAPT automation tools, which automatically analyze both IP systems/networks and embedded devices (via non-IP ports) for software vulnerabilities.

References

{{reflist, 2 Companies based in San Francisco Companies based in San Diego Business software companies Software companies based in the San Francisco Bay Area Software companies of the United States