{{Short description|Information security company}} {{Infobox company | name = ObjectSecurity | image = ObjectSecurity_company_logo.png | logo_alt = ObjectSecurity logo | industry = Information Security | image_caption = | type = Private | founded = UK ({{Start date|2000}}), California since 2009, Germany since 2017 | founder = Ulrich Lang, Rudolf Schreiner | location = San Diego, USA and Berlin, Germany | area_served = Worldwide | key_people = Ulrich Lang <small>(CEO, ObjectSecurity LLC)</small><br />Rudolf Schreiner <small>(CEO ObjectSecurity OSA GmbH)</small><br />Karel Gardas <small>(Chief Software Engineer)</small><br />Holmes Chuang <small>(Principal Software Scientist)</small><ref>{{cite web|title=Company - ObjectSecurity|url=https://objectsecurity.com/otai/company/|accessdate=11 December 2024}}</ref> }}

'''ObjectSecurity''' is an information technology company focusing on information security (model-driven security, fine-grained access control, middleware security), supply chain risk analysis, data analytics, and artificial intelligence. The company pioneered the development of model-driven security,<ref name="mds">{{Cite book |url=https://books.google.com/books?id=OMtUAgAAQBAJ&q=lang+%26+schreiner&pg=PA103 |title=Advances in Computers Volume 93 |date=26 February 2014 |publisher=Academic Press (Elsevier) |isbn=978-0-12-800162-2 |editor-last=Memon |editor-first=Atif M. |pages=113}}</ref> which was mostly an academic concept prior to the company's developments. The company is best known for their ''OpenPMF'' (Open Policy Management Framework) model-driven security product,<ref>{{cite web |title=OpenPMF Website |url=http://www.openpmf.com |website=Object Security}}</ref> security policy automation product for which the company received a "''Cool Vendor''" award from Gartner in 2008.<ref name="coolvendor">{{cite web| url= https://www.gartner.com/doc/639714/cool-vendors-application-security-authentication | archive-url= https://web.archive.org/web/20160304201523/https://www.gartner.com/doc/639714/cool-vendors-application-security-authentication | url-status= dead | archive-date= March 4, 2016 | title = Cool Vendors in Application Security and Authentication, 2008 }}</ref> In recent years, ObjectSecurity diversified into supply-chain risk-analysis automation for which the company was selected "''Finalist''" by AFWERX in 2019,<ref name="afwx">{{cite web |date=2019-11-12 |title=AFMEP: Air Force Supply Chain Challenge Finalist & ITC 2019 expo |url=https://objectsecurity.com/afwerx |website=Object Security}}</ref> and vulnerability assessment & pentesting automation.{{cn|date=September 2023}}

==History== ObjectSecurity was founded in 2000 by information security experts, Ulrich Lang and Rudolf Schreiner.<ref>{{cite web |title=About Object Security |url=http://www.objectsecurity.com/en-contact-team.html |website=Object Security}}</ref> At that time, Lang was a researcher at the University of Cambridge Computer Laboratory, working on "Access Policies for Middleware", and both were working as independent information security consultants.<ref>{{cite web |last=Lang |first=Ulrich |date=May 2003 |title=Technical Report (Number 564): Access Policies for Middleware, PhD Thesis |url=http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-564.pdf |access-date=2024-03-18 |website=University of Cambridge Computer Laboratory}}</ref>

Initially, ObjectSecurity was mainly working on customer projects around middleware security, esp. CORBA, but they quickly remarked that it was not possible to author and maintain security configurations for interconnected, distributed application environments. In an attempt to solve this challenges, the team built a full OMG CORBA Security SL3 & SSLIOP open source implementation based on MICO CORBA.<ref>{{Cite book |last1=Lang |first1=Ulrich |url=http://www.artechhouse.com/Main/Books/Developing-Secure-Distributed-Systems-with-CORBA-749.aspx |title=Developing Secure Distributed Systems with COBRA |last2=Schreiner |first2=Rudolf |date=1 February 2002 |publisher=Artech House Publishers |isbn=9781580532952 |language=English}}</ref>

===Security Policy Automation=== To solve various challenges around implementing secure distributed systems, ObjectSecurity released OpenPMF version 1,<ref>{{cite web |last=Lorang |first=Gerald |date=2004 |title=New Coach platform improves development of distributed applications. in Primeur Magazine |url=http://www.hoise.com/primeur/04/articles/monthly/AE-PR-09-04-61.html |archive-url=https://web.archive.org/web/20041212163759/http://www.hoise.com/primeur/04/articles/monthly/AE-PR-09-04-61.html |url-status=dead |archive-date=December 12, 2004 |website=www.hoise.com}}</ref> at that time one of the first Attribute Based Access Control (ABAC) products in the market. It allowed the central authoring of access rules, and the automatic enforcement across all middleware nodes using local decision/enforcement points. Thanks to the support of several EU funded research projects, ObjectSecurity found that a central ABAC approach alone was not a manageable way to implement security policies.<ref>{{cite web| url= http://ec.europa.eu/research/transport/projects/items/ad4_en.htm | title = AD4EU FP6 Project Website }}</ref><ref>{{cite web| url= http://objectsecurity.com/doc/coachprojectflyer.pdf | title = COACH project flyer }}</ref>

ObjectSecurity released OpenPMF version 2. It is based on a concept called model-driven security which allows the intuitive, business-centric specification of security requirements and the automatic generation of enforceable securities policies.<ref name="mds" /><ref name="ltn">{{ cite web| url= http://objectsecurity.com/doc/LTnetwork-ICT-SIG-newsletter-April-2008-cached.pdf | title = The newsletter of LTN's Information & Communications Technologies Special Interest Group 2008, p.4 (PDF hosted by ObjectSecurity, LTN is not operating anymore )}}</ref> OpenPMF version 2 was designed to bridge the semantic gap between the policies that users manage, and the policies that are technically implemented. At the time of the release of OpenPMF version 2, model-driven security was tied together with a model-driven development process for applications, especially for agile service oriented architecture (SOA).<ref name="ltn" />

After years of publishing and presenting the scientific and technical approach, some analyst firms, such as Gartner took note of the scientific approach.<ref name="publist">{{cite web| url= http://www.objectsecurity.com/en-home-resources.html | title = ObjectSecurity Publications Website }}</ref> Several other awards and recognition followed.<ref>{{cite web| url= http://www.objectsecurity.com/doc/ISSE%202009-10-07_TeleTrusT%20Innovation%20Award_090930-EN.pdf | title = TeleTrusT Awards }}</ref><ref>{{cite web| url= https://www.cl.cam.ac.uk/ring/awards.html | title = University of Cambridge Computer Lab Ring Awards | date = 23 January 2018 }}</ref> OpenPMF version 3 was released in 2010, supporting advanced policies, Eclipse, cloud, BPMN,<ref>{{cite web| url= http://www.infoworld.com/article/2631386/open-source-software/open-source-software-best-of-open-source-software-awards-2009.html?page=2 | title = Best of Open Source Software Awards 2009 (mentions the OpenPMF 2.0 integration into the open source Intalio BPMS | date = 31 August 2009 }}</ref> SOA, XACML, pub-sub/DDS, and numerous additional enforcement points.<ref>{{cite web| url= http://www.objectsecurity.com/doc/20100222_openpmf30.pdf | title = ObjectSecurity OpenPMF v3 Release }}</ref> ObjectSecurity also extended their model-driven security approach to include automatic compliance/accreditation analysis and evidence generation<ref>{{cite web| url= http://csis.gmu.edu/wisg2009/ | title = Rudolf Schreiner and Ulrich Lang, "Model Driven Security Accreditation (MDSA) For Agile, Interconnected IT Landscapes", WISG Conference Proceedings 2009 }}</ref>

In 2009, ObjectSecurity set up an independent legal entity in California, United States to be closer to their US-based customers.<ref>{{cite web| url= http://www.bizjournals.com/sanjose/stories/2009/07/20/smallb3.html?page=all/ | title = ObjectSecurity in Palo Alto aims to make security automatic, Silicon Valley Business Journal, 2009 }}</ref>

In recent years, ObjectSecurity has extended OpenPMF to support automatic system detection, automated formal testing,<ref name="nist">{{cite web| url= https://csrc.nist.gov/Projects/Access-Control-Policy-Tool/Beta-Release-Of-Access-Control-Policy-Tool | title = Beta Release Of Access Control Policy Tool, retrieved 2018 | date = 24 May 2016 }}</ref> virtual reality support, API server etc., enabling security policy automation without the need to install local agents, and allowing the use of model-driven security without the need for a model-driven development. OpenPMF's support for advanced access control models including proximity-based access control, PBAC was also further extended.<ref name="pbac">{{cite web| url= https://www.sbir.gov/sbirsearch/detail/415285 | title = Proximity Based Access Control SBIR Award Notice, 2013 }}</ref>

==Products== ===OpenPMF 4.0=== In 2017, ObjectSecurity released OpenPMF version 4.0, which includes a new browser-based user interface, cloud support, and numerous other features.<ref>{{Cite web |title=Launch OpenPMF 4.0 Security Policy Automation and Management Platform. |url=https://objectsecurity.com/blog/2017/02/13/news-release/ |access-date=2023-08-25 |website=ObjectSecurity |language=en-US}}</ref>

===Supply Chain Risk Analysis Automation=== In 2019, ObjectSecurity released a beta version of a United States Navy SBIR funded<ref name="scramssbir">{{cite web| url= https://www.sbir.gov/sbirsearch/detail/1188723 | title = Direct to Phase II ��� Supply Chain Risk Analysis Management Solution (SCRAMS), 2016 }}</ref> Supply Chain Risk Analysis Management Solution (SCRAMS),<ref name="scrams">{{cite web| url= https://objectsecurity.com/scrams | title = Supply Chain Risk Analysis Management Solution (SCRAMS) website, 2019 }}</ref> which analyzes procurement information from SAP and other sources for anomalies indicating supply chain risks. ===Vulnerability Assessment & Pen-Testing Automation (VAPT)=== In 2019, ObjectSecurity released an alpha version of a U.S. United States Navy SBIR funded<ref name="rbsbir">{{cite web| url= https://www.navysbir.com/n18_2/N182-131.htm | title = Red Team in a Box for Embedded and Non-IP Devices, 2018}}</ref> VAPT automation tools,<ref name="vapt">{{cite web| url= https://objectsecurity.com/vaptbox | title = WhizRT - VAPTBOX website, 2019 }}</ref> which automatically analyze both IP systems/networks and embedded devices (via non-IP ports) for software vulnerabilities. ===BinLens=== BinLens,<ref name="binlens">{{cite web| url= https://objectsecurity.com/otai/ | title = ObjectSecurity BitLens, 2024 }} </ref> previously known as OT.AI Platform,<ref name="otai">{{cite web| url= https://objectsecurity.com/otai/binlens-3-0-release/ | title = ObjectSecurity Releases BinLens 3.0 for Advanced Binary Vulnerability Analysis, 2024| date = 15 November 2024}}</ref> is an Operational Technology / Industrial control system firmware security-assessment platform, aimed to detect Common Vulnerabilities and Exposures at the firmware level for many industrial devices, including PLCs, HMIs, SCADA Systems, etc.

==References== {{reflist|2}}

Category:Companies based in San Francisco Category:Companies based in San Diego Category:Business software companies Category:Software companies based in the San Francisco Bay Area Category:Software companies of the United States