AdaCore Cybersecurity Center

AdaCore treats all customer data as confidential and stores it on AdaCore-controlled servers, cloud systems (AWS and Google Cloud), and trusted third-party services like Salesforce and ServiceNow. Encryption at rest is enforced on all servers and user devices. Additionally, access to this data is managed through an RBAC (Role-based Access Control) system with a Principle of Least Privilege approach, ensuring users only have the necessary permissions.

AdaCore conducts regular security awareness training for all employees, including topics like phishing awareness and password management. There are dedicated incident response teams, CSIRT and PSIRT (Computer and Product Security Incident Response Teams), to handle security incidents and those related to the Software Supply Chain. AdaCore also employs automated detection systems, such as intrusion detection and Data Loss Prevention, and encourages manual reporting of security events to security staff.

AdaCore’s build system ensures full traceability from source code to the final product, allowing for the generation of SBOMs and CVE scanning. Builds are performed on ephemeral machines with restricted access. All code changes undergo review, and a full rebuild and testing process is conducted daily. Additionally, both automated and manual tests are performed before each release, and any issues are documented.

AdaCore requires code reviews for all changes or additions of external dependencies to their products' source code or build/test systems. Each third-party package is initially checked with VirusTotal internal submission, and all binaries pushed to the artifact store are scanned with Windows Defender and ClamAV. This ensures thorough security checks are conducted on any third-party software used.