Model Driven Security Policy Automation

On this blog, ObjectSecurity co-founder and CEO Ulrich Lang discusses security policy automation and model-driven security. The aim of this blog is to advocate advance the state of the art in this area through exchange of ideas. - -

Monday 30 November 2009

Business Process Sequence Policies

Today I would like to share the idea of stateful sequence policies for business process (BPM) orchestrated applications. This has been published back in 2007, and has also been implemented in OpenPMF's model-driven security feature a while back.

For example, the generic process sequence policy "only allow each step in the workflow if the previous interaction also happened" means that interactions are only allowed to be executed in the order of the workflow. Simple, generic, intuitive and useful.

But how do you translate this into technical access control rules for your specific interconnected application without having to rewrite the policy each time you change the application? Model-driven security (as implemented in OpenPMF) can apply such generic security policies to specific technical application security policies by analyzing the application (in this case the BPM model). To make this work, we had to slightly extend our rule language and add a few things to the runtime infrastructure. If you want to see how this works in the real world (within a BPM software development tool), go to , and get your free trial.

Thursday 26 November 2009

Update: Model Driven Security Accreditation (MDSA) publications

ObjectSecurity published a scientific ACM publication "Model Driven Security Accreditation (MDSA) For Agile, Interconnected IT Landscapes" at The 1st ACM Workshop on Information Security Governance, November 13, 2009, Hyatt Regency Chicago, Chicago, USA

You can learn more about MDSA, MDS, and SOA Security here:

E-Book 3 - Model-Driven Security Accreditation for Agile IT Landscapes
E-Book 2 - Security Policy Management with Model Driven Security
E-Book 1 - SOA Security Concerns & Recommendations