Provider of software development and verification tools, AdaCore, today announced that the latest version of its signature GNAT Pro Assurance product has introduced a service that helps customers with their vulnerability mitigation strategy for third-party tools.
Image copyright Shutterstock
With GNAT Pro Assurance 22, customers can request a detailed list of known problems, each keyed to The MITRE Corporation’s Common Vulnerability Enumeration (CVE) database. Vulnerability reports are provided in machine-readable CVE JSON format as well as human-readable PDF reports.
In addition to this information, AdaCore now produces Software Bills of Materials (SBOM). SBOMs are supplied in the industry-standard Software Package Data Exchange (SPDX) format, allowing automated incorporation into customers’ vulnerability management and reporting systems.
GNAT Pro Assurance is the top-tier edition of AdaCore’s GNAT Pro product line and offers a complete Ada solution: a comprehensive suite of development and verification tools, a configurable runtime library and several specialised small-footprint runtimes.
It is geared toward developers of safety- and/or security-critical applications that require long-term maintenance, including but not limited to projects that need to meet domain-specific software assurance standards.
For safety certification, such standards include DO-178C (airborne software), EN 50128 (rail), ECSS-E-ST-40C and ECSS-Q-ST-80C (space) and ISO 26262 (automotive and industrial systems).
On the security side, relevant standards include DO-326A / ED-202A and DO-356A / ED-203A (airworthiness). For each of these safety or security standards, certification and/or qualification material for specific run-time libraries and/or tools are available to GNAT Pro Assurance customers through an optional certification support service.
Unique to GNAT Pro Assurance, the sustained branch service allows a customer to choose a specific version of the technology and receive workarounds or product updates for that version as needed to deal with critical issues. This offers guaranteed product stability, with controlled evolution to correct problems that do not have realistic workarounds.
“The challenge with software security is that vulnerabilities can and will be discovered after a system has been deployed, and systems are typically multilayered with interdependent components from different vendors,” said Alexander Senier, Lead of Cybersecurity at AdaCore. “A vulnerability that one vendor fixes might require an expensive correction in another component; if that vendor fails to make that correction, then the entire system may be insecure. With GNAT Pro Assurance, our customers don't get into such a situation.
"We provide sustained branches, we perform automatic analyses of known vulnerabilities on those branches and make them available to customers, we analyse whether security issues found in current GNAT Pro versions are present in sustained branches and port security fixes to those older versions if necessary. This enables customers to have their systems deployed securely throughout the project’s lifetime.”
“Ada is a language of choice for developers of long-lived high-reliability software, and the sustained branch service for GNAT Pro Assurance meets the needs for both stability in the product and corrections to critical problems,” said Jamie Ayre, Commercial Director at AdaCore. “Solving a blocking problem by moving to a new product version that introduces unrelated enhancements may fix one defect but could introduce regressions or trigger other problems.
"With GNAT Pro Assurance’s sustained branch service, which stands out in the industry, a customer can lock in a specific version of the product and then receive updates only when needed to address a critical issue.”