# ObjectSecurity

> Mediated Wiki article. Canonical URL: https://mediated.wiki/source/ObjectSecurity
> Markdown URL: https://mediated.wiki/source/ObjectSecurity.md
> Source: https://en.wikipedia.org/wiki/ObjectSecurity
> Source revision: 1357085277
> License: Creative Commons Attribution-ShareAlike 4.0 International (https://creativecommons.org/licenses/by-sa/4.0/)

{{Short description|Information security company}}
{{Infobox company
| name          = ObjectSecurity
| image         = ObjectSecurity_company_logo.png
| logo_alt      = ObjectSecurity logo
| industry      = [Information Security](/source/Information_Security)
| image_caption = 
| type          = [Private](/source/Privately_held_company)
| founded       = UK ({{Start date|2000}}), California since 2009, Germany since 2017
| founder       = Ulrich Lang, Rudolf Schreiner
| location      = [San Diego, USA](/source/San_Diego%2C_USA) and [Berlin, Germany](/source/Berlin%2C_Germany)
| area_served   = Worldwide
| key_people    = Ulrich Lang <small>([CEO](/source/CEO), ObjectSecurity LLC)</small><br />Rudolf Schreiner <small>([CEO](/source/CEO) ObjectSecurity OSA GmbH)</small><br />Karel Gardas <small>(Chief Software Engineer)</small><br />Holmes Chuang <small>(Principal Software Scientist)</small><ref>{{cite web|title=Company - ObjectSecurity|url=https://objectsecurity.com/otai/company/|accessdate=11 December 2024}}</ref>
}}

'''ObjectSecurity''' is an information technology company focusing on [information security](/source/information_security) ([model-driven security](/source/model-driven_security), fine-grained [access control](/source/access_control), [middleware](/source/middleware) security), supply chain risk analysis, data analytics, and artificial intelligence. The company pioneered the development of [model-driven security](/source/model-driven_security),<ref name="mds">{{Cite book |url=https://books.google.com/books?id=OMtUAgAAQBAJ&q=lang+%26+schreiner&pg=PA103 |title=Advances in Computers Volume 93 |date=26 February 2014 |publisher=Academic Press (Elsevier) |isbn=978-0-12-800162-2 |editor-last=Memon |editor-first=Atif M. |pages=113}}</ref> which was mostly an academic concept prior to the company's developments. The company is best known for their ''OpenPMF'' (Open Policy Management Framework) [model-driven security](/source/model-driven_security) product,<ref>{{cite web |title=OpenPMF Website |url=http://www.openpmf.com |website=Object Security}}</ref> security policy automation product for which the company received a "''Cool Vendor''" award from [Gartner](/source/Gartner) in 2008.<ref name="coolvendor">{{cite web| url= https://www.gartner.com/doc/639714/cool-vendors-application-security-authentication | archive-url= https://web.archive.org/web/20160304201523/https://www.gartner.com/doc/639714/cool-vendors-application-security-authentication | url-status= dead | archive-date= March 4, 2016 | title = Cool Vendors in Application Security and Authentication, 2008 }}</ref> In recent years, ObjectSecurity diversified into supply-chain risk-analysis automation for which the company was selected "''Finalist''" by [AFWERX](/source/AFWERX) in 2019,<ref name="afwx">{{cite web |date=2019-11-12 |title=AFMEP: Air Force Supply Chain Challenge Finalist & ITC 2019 expo |url=https://objectsecurity.com/afwerx |website=Object Security}}</ref> and vulnerability assessment & pentesting automation.{{cn|date=September 2023}}

==History==
ObjectSecurity was founded in 2000 by information security experts, Ulrich Lang and Rudolf Schreiner.<ref>{{cite web |title=About Object Security |url=http://www.objectsecurity.com/en-contact-team.html |website=Object Security}}</ref> At that time, Lang was a researcher at the [University of Cambridge](/source/University_of_Cambridge) [Computer Laboratory](/source/Computer_Laboratory%2C_University_of_Cambridge), working on "Access Policies for [Middleware](/source/Middleware)", and both were working as independent information security consultants.<ref>{{cite web |last=Lang |first=Ulrich |date=May 2003 |title=Technical Report (Number 564): Access Policies for Middleware, PhD Thesis |url=http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-564.pdf |access-date=2024-03-18 |website=University of Cambridge Computer Laboratory}}</ref>

Initially, ObjectSecurity was mainly working on customer projects around [middleware](/source/middleware) security, esp. [CORBA](/source/CORBA), but they quickly remarked that it was not possible to author and maintain security configurations for interconnected, distributed application environments. In an attempt to solve this challenges, the team built a full [OMG](/source/Object_Management_Group) [CORBA](/source/CORBA) Security SL3 & [SSLIOP](/source/SSLIOP) open source implementation based on [MICO](/source/MICO) CORBA.<ref>{{Cite book |last1=Lang |first1=Ulrich |url=http://www.artechhouse.com/Main/Books/Developing-Secure-Distributed-Systems-with-CORBA-749.aspx |title=Developing Secure Distributed Systems with COBRA |last2=Schreiner |first2=Rudolf |date=1 February 2002 |publisher=Artech House Publishers |isbn=9781580532952 |language=English}}</ref>

===Security Policy Automation===
To solve various challenges around implementing secure distributed systems, ObjectSecurity released OpenPMF version 1,<ref>{{cite web |last=Lorang |first=Gerald |date=2004 |title=New Coach platform improves development of distributed applications. in Primeur Magazine |url=http://www.hoise.com/primeur/04/articles/monthly/AE-PR-09-04-61.html |archive-url=https://web.archive.org/web/20041212163759/http://www.hoise.com/primeur/04/articles/monthly/AE-PR-09-04-61.html |url-status=dead |archive-date=December 12, 2004 |website=www.hoise.com}}</ref> at that time one of the first [Attribute Based Access Control](/source/Attribute_Based_Access_Control) (ABAC) products in the market. It allowed the central authoring of access rules, and the automatic enforcement across all middleware nodes using local decision/enforcement points. Thanks to the support of several [EU](/source/European_Union) funded research projects, ObjectSecurity found that a central ABAC approach alone was not a manageable way to implement security policies.<ref>{{cite web| url= http://ec.europa.eu/research/transport/projects/items/ad4_en.htm | title = AD4EU FP6 Project Website }}</ref><ref>{{cite web| url= http://objectsecurity.com/doc/coachprojectflyer.pdf | title = COACH project flyer }}</ref>

ObjectSecurity released OpenPMF version 2. It is based on a concept called [model-driven security](/source/model-driven_security) which allows the intuitive, business-centric specification of security requirements and the automatic generation of enforceable securities policies.<ref name="mds" /><ref name="ltn">{{ cite web| url= http://objectsecurity.com/doc/LTnetwork-ICT-SIG-newsletter-April-2008-cached.pdf | title = The newsletter of LTN's Information & Communications Technologies Special Interest Group 2008, p.4 (PDF hosted by ObjectSecurity, LTN is not operating anymore )}}</ref> OpenPMF version 2 was designed to bridge the semantic gap between the policies that users manage, and the policies that are technically implemented. At the time of the release of OpenPMF version 2, [model-driven security](/source/model-driven_security) was tied together with a [model-driven development](/source/model-driven_development) process for applications, especially for agile [service oriented architecture](/source/service_oriented_architecture) (SOA).<ref name="ltn" />

After years of publishing and presenting the scientific and technical approach, some analyst firms, such as [Gartner](/source/Gartner) took note of the scientific approach.<ref name="publist">{{cite web| url= http://www.objectsecurity.com/en-home-resources.html | title = ObjectSecurity Publications Website }}</ref> Several other awards and recognition followed.<ref>{{cite web| url= http://www.objectsecurity.com/doc/ISSE%202009-10-07_TeleTrusT%20Innovation%20Award_090930-EN.pdf | title = TeleTrusT Awards }}</ref><ref>{{cite web| url= https://www.cl.cam.ac.uk/ring/awards.html | title = University of Cambridge Computer Lab Ring Awards | date = 23 January 2018 }}</ref> OpenPMF version 3 was released in 2010, supporting advanced policies, [Eclipse](/source/Eclipse_(software)), [cloud](/source/Cloud_computing), [BPMN](/source/Business_Process_Model_and_Notation),<ref>{{cite web| url= http://www.infoworld.com/article/2631386/open-source-software/open-source-software-best-of-open-source-software-awards-2009.html?page=2 | title = Best of Open Source Software Awards 2009 (mentions the OpenPMF 2.0 integration into the open source Intalio BPMS | date = 31 August 2009 }}</ref> SOA, [XACML](/source/XACML), pub-sub/DDS, and numerous additional enforcement points.<ref>{{cite web| url= http://www.objectsecurity.com/doc/20100222_openpmf30.pdf | title = ObjectSecurity OpenPMF v3 Release }}</ref> ObjectSecurity also extended their [model-driven security](/source/model-driven_security) approach to include automatic compliance/accreditation analysis and evidence generation<ref>{{cite web| url= http://csis.gmu.edu/wisg2009/ | title = Rudolf Schreiner and Ulrich Lang, "Model Driven Security Accreditation (MDSA) For Agile, Interconnected IT Landscapes", WISG Conference Proceedings 2009 }}</ref>

In 2009, ObjectSecurity set up an independent legal entity in [California](/source/California), United States to be closer to their US-based customers.<ref>{{cite web| url= http://www.bizjournals.com/sanjose/stories/2009/07/20/smallb3.html?page=all/ | title = ObjectSecurity in Palo Alto aims to make security automatic, Silicon Valley Business Journal, 2009 }}</ref>

In recent years, ObjectSecurity has extended OpenPMF to support automatic system detection, automated formal testing,<ref name="nist">{{cite web| url= https://csrc.nist.gov/Projects/Access-Control-Policy-Tool/Beta-Release-Of-Access-Control-Policy-Tool | title = Beta Release Of Access Control Policy Tool, retrieved 2018 | date = 24 May 2016 }}</ref> virtual reality support, API server etc., enabling security policy automation without the need to install local agents, and allowing the use of [model-driven security](/source/model-driven_security) without the need for a [model-driven development](/source/model-driven_development). OpenPMF's support for advanced access control models including proximity-based access control, PBAC was also further extended.<ref name="pbac">{{cite web| url= https://www.sbir.gov/sbirsearch/detail/415285 | title = Proximity Based Access Control SBIR Award Notice, 2013 }}</ref>

==Products==
===OpenPMF 4.0===
In 2017, ObjectSecurity released OpenPMF version 4.0, which includes a new browser-based user interface, cloud support, and numerous other features.<ref>{{Cite web |title=Launch OpenPMF 4.0 Security Policy Automation and Management Platform. |url=https://objectsecurity.com/blog/2017/02/13/news-release/ |access-date=2023-08-25 |website=ObjectSecurity |language=en-US}}</ref>

===Supply Chain Risk Analysis Automation===
In 2019, ObjectSecurity released a beta version of a [United States Navy](/source/United_States_Navy) [SBIR](/source/SBIR) funded<ref name="scramssbir">{{cite web| url= https://www.sbir.gov/sbirsearch/detail/1188723 | title = Direct to Phase II ��� Supply Chain Risk Analysis Management Solution (SCRAMS), 2016 }}</ref> Supply Chain Risk Analysis Management Solution (SCRAMS),<ref name="scrams">{{cite web| url= https://objectsecurity.com/scrams | title = Supply Chain Risk Analysis Management Solution (SCRAMS) website, 2019 }}</ref> which analyzes procurement information from [SAP](/source/SAP_SE) and other sources for anomalies indicating supply chain risks. 
 
===Vulnerability Assessment & Pen-Testing Automation (VAPT)===
In 2019, ObjectSecurity released an alpha version of a U.S. [United States Navy](/source/United_States_Navy) [SBIR](/source/SBIR) funded<ref name="rbsbir">{{cite web| url= https://www.navysbir.com/n18_2/N182-131.htm | title = Red Team in a Box for Embedded and Non-IP Devices, 2018}}</ref> VAPT automation tools,<ref name="vapt">{{cite web| url= https://objectsecurity.com/vaptbox | title = WhizRT - VAPTBOX website, 2019 }}</ref> which automatically analyze both IP systems/networks and embedded devices (via non-IP ports) for software vulnerabilities.
  
===BinLens===
BinLens,<ref name="binlens">{{cite web| url= https://objectsecurity.com/otai/ | title = ObjectSecurity BitLens, 2024 }} </ref> previously known as OT.AI Platform,<ref name="otai">{{cite web| url= https://objectsecurity.com/otai/binlens-3-0-release/ | title = ObjectSecurity Releases BinLens 3.0 for Advanced Binary Vulnerability Analysis, 2024| date = 15 November 2024}}</ref> is an [Operational Technology](/source/Operational_Technology) / [Industrial control system](/source/Industrial_control_system) firmware security-assessment platform, aimed to detect [Common Vulnerabilities and Exposures](/source/Common_Vulnerabilities_and_Exposures) at the firmware level for many industrial devices, including PLCs, HMIs, SCADA Systems, etc. 

==References==
{{reflist|2}}

Category:Companies based in San Francisco
Category:Companies based in San Diego
Category:Business software companies
Category:Software companies based in the San Francisco Bay Area
Category:Software companies of the United States

---
Adapted from the Wikipedia article [ObjectSecurity](https://en.wikipedia.org/wiki/ObjectSecurity) by Wikipedia contributors ([contributor history](https://en.wikipedia.org/wiki/ObjectSecurity?action=history)). Available under [Creative Commons Attribution-ShareAlike 4.0 International](https://creativecommons.org/licenses/by-sa/4.0/). Changes may have been made.
