ObjectSecurity

Last updated
ObjectSecurity
Company type Private
Industry Information Security
FoundedUK (2000 (2000)), California since 2009, Germany since 2017
FounderUlrich Lang, Rudolf Schreiner
Headquarters San Diego, USA and Berlin, Germany
Area served
Worldwide
Key people
Ulrich Lang (CEO, ObjectSecurity LLC)
Rudolf Schreiner (CEO ObjectSecurity OSA GmbH)
Karel Gardas (Chief Software Engineer)
Holmes Chuang (Principal Software Scientist)
Reza Fatahi (Principal Research Scientist)
Susan Farrell (Head of R&D Commercialization) [1]

ObjectSecurity is an information technology company focusing on information security (model-driven security, fine-grained access control, middleware security), supply chain risk analysis, data analytics, and artificial intelligence. The company pioneered the development of model-driven security, [2] which was mostly an academic concept prior to the company's developments. The company is best known for their OpenPMF (Open Policy Management Framework) model-driven security product, [3] security policy automation product for which the company received a "Cool Vendor" award from Gartner in 2008. [4] In recent years, ObjectSecurity diversified into supply-chain risk-analysis automation for which the company was selected "Finalist" by AFWERX in 2019, [5] and vulnerability assessment & pentesting automation.[ citation needed ]

Contents

History

ObjectSecurity was founded in 2000 by information security experts, Ulrich Lang and Rudolf Schreiner. [6] At that time, Lang was a researcher at the University of Cambridge Computer Laboratory, working on "Access Policies for Middleware", and both were working as independent information security consultants. [7]

Initially, ObjectSecurity was mainly working on customer projects around middleware security, esp. CORBA, but they quickly remarked that it was not possible to author and maintain security configurations for interconnected, distributed application environments. In an attempt to solve this challenges, the team built a full OMG CORBA Security SL3 & SSLIOP open source implementation based on MICO CORBA. [8]

Security Policy Automation

To solve various challenges around implementing secure distributed systems, ObjectSecurity released OpenPMF version 1, [9] at that time one of the first Attribute Based Access Control (ABAC) products in the market. It allowed the central authoring of access rules, and the automatic enforcement across all middleware nodes using local decision/enforcement points. Thanks to the support of several EU funded research projects, ObjectSecurity found that a central ABAC approach alone was not a manageable way to implement security policies. [10] [11]

ObjectSecurity released OpenPMF version 2. It is based on a concept called model-driven security which allows the intuitive, business-centric specification of security requirements and the automatic generation of enforceable securities policies. [2] [12] OpenPMF version 2 was designed to bridge the semantic gap between the policies that users manage, and the policies that are technically implemented. At the time of the release of OpenPMF version 2, model-driven security was tied together with a model-driven development process for applications, especially for agile service oriented architecture (SOA). [12]

After years of publishing and presenting the scientific and technical approach, some analyst firms, such as Gartner took note of the scientific approach. [13] Several other awards and recognition followed. [14] [15] OpenPMF version 3 was released in 2010, supporting advanced policies, Eclipse, cloud, BPMN, [16] SOA, XACML, pub-sub/DDS, and numerous additional enforcement points. [17] ObjectSecurity also extended their model-driven security approach to include automatic compliance/accreditation analysis and evidence generation [18]

In 2009, ObjectSecurity set up an independent legal entity in California, United States to be closer to their US-based customers. [19]

In recent years, ObjectSecurity has extended OpenPMF to support automatic system detection, automated formal testing, [20] virtual reality support, API server etc., enabling security policy automation without the need to install local agents, and allowing the use of model-driven security without the need for a model-driven development. OpenPMF's support for advanced access control models including proximity-based access control, PBAC was also further extended. [21]

Products

OpenPMF 4.0

In 2017, ObjectSecurity released OpenPMF version 4.0, which includes a new browser-based user interface, cloud support, and numerous other features. [22]

Supply Chain Risk Analysis Automation

In 2019, ObjectSecurity released a beta version of a United States Navy SBIR funded [23] Supply Chain Risk Analysis Management Solution (SCRAMS), [24] which analyzes procurement information from SAP and other sources for anomalies indicating supply chain risks.

Vulnerability Assessment & Pen-Testing Automation (VAPT)

In 2019, ObjectSecurity released an alpha version of a U.S. United States Navy SBIR funded [25] VAPT automation tools, [26] which automatically analyze both IP systems/networks and embedded devices (via non-IP ports) for software vulnerabilities.

OT.AI Platform

In 2022, ObjectSecurity released OT.AI Platform, [27] an Operational Technology / Industrial control system firmware security-assessment platform, aimed to detect Common Vulnerabilities and Exposures at the firmware level for many industrial devices, including PLCs, HMIs, SCADA Systems, etc.

Related Research Articles

Java Platform, Standard Edition is a computing platform for development and deployment of portable code for desktop and server environments. Java SE was formerly known as Java 2 Platform, Standard Edition (J2SE).

The Common Object Request Broker Architecture (CORBA) is a standard defined by the Object Management Group (OMG) designed to facilitate the communication of systems that are deployed on diverse platforms. CORBA enables collaboration between systems on different operating systems, programming languages, and computing hardware. CORBA uses an object-oriented model although the systems that use the CORBA do not have to be object-oriented. CORBA is an example of the distributed object paradigm.

Distributed Component Object Model (DCOM) is a proprietary Microsoft technology for communication between software components on networked computers. DCOM, which originally was called "Network OLE", extends Microsoft's COM, and provides the communication substrate under Microsoft's COM+ application server infrastructure.

In computer security, mandatory access control (MAC) refers to a type of access control by which the operating system or database constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target. In the case of operating systems, a subject is usually a process or thread; objects are constructs such as files, directories, TCP/UDP ports, shared memory segments, IO devices, etc. Subjects and objects each have a set of security attributes. Whenever a subject attempts to access an object, an authorization rule enforced by the operating system kernel examines these security attributes and decides whether the access can take place. Any operation by any subject on any object is tested against the set of authorization rules to determine if the operation is allowed. A database management system, in its access control mechanism, can also apply mandatory access control; in this case, the objects are tables, views, procedures, etc.

Tuxedo is a middleware platform used to manage distributed transaction processing in distributed computing environments. Tuxedo is a transaction processing system or transaction-oriented middleware, or enterprise application server for a variety of systems and programming languages. Developed by AT&T in the 1980s, it became a software product of Oracle Corporation in 2008 when they acquired BEA Systems. Tuxedo is now part of the Oracle Fusion Middleware.

The Data Distribution Service (DDS) for real-time systems is an Object Management Group (OMG) machine-to-machine standard that aims to enable dependable, high-performance, interoperable, real-time, scalable data exchanges using a publish–subscribe pattern.

Enterprise software, also known as enterprise application software (EAS), is computer software used to satisfy the needs of an organization rather than its individual users. Enterprise software is an integral part of a computer-based information system, handling a number of business operations, for example to enhance business and management reporting tasks, or support production operations and back office functions. Enterprise systems must process information at a relatively high speed.

rPath, Inc. was a technology company based in Raleigh, North Carolina, that developed technology to automate the process of constructing, deploying, and updating software. rPath modeled and managed components and dependencies under version control. It acted as a model-driven and version-controlled repository, as well as a software distribution hub.

Objective Interface Systems, Inc. is a computer communications software and hardware company. The company's headquarters are in Herndon, Virginia, USA. OIS develops, manufactures, licenses, and supports software and hardware products that generally fit into one or more of the following markets:

The Spring Framework is an application framework and inversion of control container for the Java platform. The framework's core features can be used by any Java application, but there are extensions for building web applications on top of the Java EE platform. The framework does not impose any specific programming model.. The framework has become popular in the Java community as an addition to the Enterprise JavaBeans (EJB) model. The Spring Framework is free and open source software.

Robotics middleware is middleware to be used in complex robot control software systems.

HP Cloud Service Automation is cloud management software from Hewlett Packard Enterprise (HPE) that is used by companies and government agencies to automate the management of cloud-based IT-as-a-service, from order, to provision, and retirement. HP Cloud Service Automation orchestrates the provisioning and deployment of complex IT services such as of databases, middleware, and packaged applications. The software speeds deployment of application-based services across hybrid cloud delivery platforms and traditional IT environments.

<span class="mw-page-title-main">OpenRTM-aist</span>

OpenRTM-aist is a software platform developed on the basis of the RT middleware standard. OpenRTM-aist is developed by National Institute of Advanced Industrial Science and Technology which also contributes to definition of the RT-middleware standard.

Model-driven security (MDS) means applying model-driven approaches to security.

<span class="mw-page-title-main">Enterprise Architect (software)</span> Visual modeling and design tool

Sparx Systems Enterprise Architect is a visual modeling and design tool based on the OMG UML. The platform supports: the design and construction of software systems; modeling business processes; and modeling industry based domains. It is used by businesses and organizations to not only model the architecture of their systems, but to process the implementation of these models across the full application development life-cycle.

Michael Rosen is an American enterprise architect, and management consultant, known for his work on Common Object Request Broker Architecture (1998), and Applying service-oriented architecture.

Threat Intelligence Platform (TIP) is an emerging technology discipline that helps organizations aggregate, correlate, and analyze threat data from multiple sources in real time to support defensive actions. TIPs have evolved to address the growing amount of data generated by a variety of internal and external resources (such as system logs and threat intelligence feeds) and help security teams identify the threats that are relevant to their organization. By importing threat data from multiple sources and formats, correlating that data, and then exporting it into an organization’s existing security systems or ticketing systems, a TIP automates proactive threat management and mitigation. A true TIP differs from typical enterprise security products in that it is a system that can be programmed by outside developers, in particular, users of the platform. TIPs can also use APIs to gather data to generate configuration analysis, Whois information, reverse IP lookup, website content analysis, name servers, and SSL certificates.

Infrastructure as code (IaC) is the process of managing and provisioning computer data center resources through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools. The IT infrastructure managed by this process comprises both physical equipment, such as bare-metal servers, as well as virtual machines, and associated configuration resources. The definitions may be in a version control system, rather than maintaining the code through manual processes. The code in the definition files may use either scripts or declarative definitions, but IaC more often employs declarative approaches.

The zero trust security model, also known as zero trust architecture (ZTA), and sometimes known as perimeterless security, describes an approach to the strategy, design and implementation of IT systems. The main concept behind the zero trust security model is "never trust, always verify", which means that users and devices should not be trusted by default, even if they are connected to a permissioned network such as a corporate LAN and even if they were previously verified.

References

  1. "Company - ObjectSecurity" . Retrieved 5 January 2024.
  2. 1 2 Memon, Atif M., ed. (26 February 2014). Advances in Computers Volume 93. Academic Press (Elsevier). p. 113. ISBN   978-0-12-800162-2.
  3. "OpenPMF Website". Object Security.
  4. "Cool Vendors in Application Security and Authentication, 2008". Archived from the original on March 4, 2016.
  5. "AFMEP: Air Fore Supply Chain Challenge Finalist & ITC 2019 expo". Object Security. 2019-11-12.
  6. "About Object Security". Object Security.
  7. Lang, Ulrich (May 2003). "Technical Report (Number 564): Access Policies for Middleware, PhD Thesis" (PDF). University of Cambridge Computer Laboratory. Retrieved 2024-03-18.
  8. Lang, Ulrich; Schreiner, Rudolf (1 February 2002). Developing Secure Distributed Systems with COBRA. Artech House Publishers. ISBN   9781580532952.
  9. Lorang, Gerald (2004). "New Coach platform improves development of distributed applications. in Primeur Magazine". www.hoise.com.[ dead link ]
  10. "AD4EU FP6 Project Website".
  11. "COACH project flyer" (PDF).
  12. 1 2 "The newsletter of LTN's Information & Communications Technologies Special Interest Group 2008, p.4 (PDF hosted by ObjectSecurity, LTN is not operating anymore )" (PDF).
  13. "ObjectSecurity Publications Website".
  14. "TeleTrusT Awards" (PDF).
  15. "University of Cambridge Computer Lab Ring Awards". 23 January 2018.
  16. "Best of Open Source Software Awards 2009 (mentions the OpenPMF 2.0 integration into the open source Intalio BPMS". 31 August 2009.
  17. "ObjectSecurity OpenPMF v3 Release" (PDF).
  18. "Rudolf Schreiner and Ulrich Lang, "Model Driven Security Accreditation (MDSA) For Agile, Interconnected IT Landscapes", WISG Conference Proceedings 2009".
  19. "ObjectSecurity in Palo Alto aims to make security automatic, Silicon Valley Business Journal, 2009".
  20. "Beta Release Of Access Control Policy Tool, retrieved 2018". 24 May 2016.
  21. "Proximity Based Access Control SBIR Award Notice, 2013".
  22. "Launch OpenPMF 4.0 Security Policy Automation and Management Platform". ObjectSecurity. Retrieved 2023-08-25.
  23. "Direct to Phase II – Supply Chain Risk Analysis Management Solution (SCRAMS), 2016".
  24. "Supply Chain Risk Analysis Management Solution (SCRAMS) website, 2019".
  25. "Red Team in a Box for Embedded and Non-IP Devices, 2018".
  26. "WhizRT - VAPTBOX website, 2019".
  27. "OT.AI Platform, 2022".
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.