Model Driven Security Policy Automation

On this blog, ObjectSecurity co-founder and CEO Ulrich Lang discusses security policy automation and model-driven security. The aim of this blog is to advocate advance the state of the art in this area through exchange of ideas. - -

Monday 30 November 2009

Business Process Sequence Policies

Today I would like to share the idea of stateful sequence policies for business process (BPM) orchestrated applications. This has been published back in 2007, and has also been implemented in OpenPMF's model-driven security feature a while back.

For example, the generic process sequence policy "only allow each step in the workflow if the previous interaction also happened" means that interactions are only allowed to be executed in the order of the workflow. Simple, generic, intuitive and useful.

But how do you translate this into technical access control rules for your specific interconnected application without having to rewrite the policy each time you change the application? Model-driven security (as implemented in OpenPMF) can apply such generic security policies to specific technical application security policies by analyzing the application (in this case the BPM model). To make this work, we had to slightly extend our rule language and add a few things to the runtime infrastructure. If you want to see how this works in the real world (within a BPM software development tool), go to , and get your free trial.

Thursday 26 November 2009

Update: Model Driven Security Accreditation (MDSA) publications

ObjectSecurity published a scientific ACM publication "Model Driven Security Accreditation (MDSA) For Agile, Interconnected IT Landscapes" at The 1st ACM Workshop on Information Security Governance, November 13, 2009, Hyatt Regency Chicago, Chicago, USA

You can learn more about MDSA, MDS, and SOA Security here:

E-Book 3 - Model-Driven Security Accreditation for Agile IT Landscapes
E-Book 2 - Security Policy Management with Model Driven Security
E-Book 1 - SOA Security Concerns & Recommendations

Tuesday 7 July 2009

Upcoming Webinar with Intalio: Securing Agile Process-Led Applications with OpenPMF for Intalio BPMS

Organizations today need to meet increasingly demanding security and compliance requirements, while software applications and business processes get evermore complex and agile (e.g. Service Oriented Architecture, Business Process Modeling). According to industry analysts, most security products in use today focus on the network layer, while the majority of cyber attacks today exploit vulnerabilities on the application layer. Application security and a secure development process are therefore a critical element of any security strategy. However, application security is often not dealt with effectively due to time and cost pressures, especially in the current economic climate.

In this webinar, you will learn:
1) application security challenges and solutions
2) agile SOA security challenges and solutions
3) aspects and stages of the secure development lifecycle (including policy abstraction, externalization, authoring, automation, enforcement, monitoring, and verification)
4) how OpenPMF can be used to protect and monitor agile applications with minimal effort by automatically generating technical security policies for your applications and processes from intuitively captured security & compliance requirements.
5) how the newly packaged, award-winning OpenPMF 2.0 application security automation product ( version can be used in action for Intalio BPMS (, the leading open-source-based Business Process Modeling (BPM) application automation vendor.

Date: Monday July 20, 2009
Time: 9:00 AM PST (12:00 PM EST, 5:00 PM GMT, 6:00 PM CET)
To Register:

Wednesday 24 June 2009

Model Driven Security Accreditation (MDSA)

Exciting news! Model Driven Security is now applied to assurance accreditation for agile IT landscapes.

Assurance accreditation of agile, interconnected IT landscapes is a great challenge, and is currently often cited as one of the show-stoppers for the adoption of modern IT architectures (e.g. SOA) in mission critical domains.

ObjectSecurity’s patent-pending Model Driven Security Accreditation (MDSA) approach automates large parts of the compliance and assurance accreditation management processes (e.g. Common Criteria). The benefits of MDSA are most significant for agile, interconnected IT “systems of systems” that are model-driven (potentially also business process-driven). MDSA automatically analyses and documents two main aspects:
  1. Does the actual security match with the stated requirements?
  2. Do any changes impact the current accreditation?
Model Driven Security Accreditation (MDSA) enables “agile accreditation” in a way that is cost-effective, low-effort (i.e. partly automated), and reliable / traceable. MDSA especially enables agile accreditation for agile, interconnected IT landscapes based on model-driven, process-led application development and deployment approaches, and on standard middleware and runtime platforms (e.g. SOA). MDSA allows the automated, formalised assignment of “undistorted” Common Criteria assurance requirements to IT landscape specific technical assurance control objectives in functional system specifications. Both are expressed as formalised models and are automatically and traceably matched.Using model-driven security (MDS), the technical assurance control requirements are then automatically transformed into concrete technical IT enforcement & monitoring at runtime. In addition, the traceable correspondence between technical security implementation and the information assurance requirements is analysed and checked. MDSA also documents Common Criteria “supporting evidence” based on all available design-time system / security models, system / security artefacts, system / security model transformations, and runtime system / security incident logs.Furthermore, MDSA enables the automated analysis whether changes to or newly discovered knowledge about an agile IT landscape impact its security properties, and whether the accreditation is still valid. The goal of MDSA is to automatically check whether IT systems security meets its assurance accreditation requirements, and to check the impact of changes (incl. system, security, requirements, newly discovered vulnerabilities) on the accreditation. Based on so-called “change policies”, MDSA decides whether particular system re-configurations are within scope of the current accreditation (thus enabling a level of IT agility) or whether manual corrections and re-accreditation are required. MDSA also allows to assess the impact of newly discovered security vulnerabilities, e.g. weaknesses in crypto algorithms or buffer overflows in libraries, on one system or multiple systems as part of an Accreditation Management System (AMS), a central database of fine grained accreditation information. If manual re-accreditation is required, MDSA also acts as a decision support tool.

Current State
A ~80 page concept exploration study has been produced for UK Ministry of Defence, and a scientific paper is being submitted for publication. MDSA is currently at the prototype stage. Please contact ObjectSecurity if you are interested in further information about the OpenPMF MDSA prototype or the study.

Wednesday 11 March 2009

New Analyst Coverage for Model-Driven Security

IT analyst firm Gartner, today has again raised awareness for model-driven security in Tom Scholtz's report "No More Dr. No: Developing a Strategy for Business-Aligned Information Security" (10 March 2009, ID:G00166010), which advocates that rather than simply saying no to new technology, effectively aligning information security practices with business strategy results in optimized security efforts and investments. Such business alignment requires a multifaceted strategy." The report recommends businesses to "... investigate the potential benefits of modeling-based policy automation. Such technology solutions support the development, implementation and management of security policies that are inherently integrated into the business requirements modeled during IT service solution design.". You can find further information about model-driven security (+ model-driven compliance, model-driven security accreditation,) and about ObjectSecurity's OpenPMF product at