Security engineering is at the heart of security automation, and security automation is key for doing tasks at scale. We offer a broad set of services for security engineering and security automation and our security engineers have decades of experience in state-of-the-art tool development.

In security engineering we offer both to develop in-house closed source tools, and we also offer our services in the form of open source contributions and open source maintenance. Throughout Ada Logics history we have continuously contributed to open source software tooling.

This is a broad set of services in that we build tools in many domains of software security. This includes:

• Automated vulnerability discovery tooling.
• Fuzzing infrastructure and fuzz harness writing.
• LLM agents for software security analysis.
• Software supply chain analysis tooling.
• Static code analysis tooling.
• Compiler extensions.
• Program analysis tooling.
• Automated large-scale build systems.
• Prototype implementation from research outcomes.

We put significant effort into contributing to open source security analysis tools, We consider this a positive sum game that benefits the wider software community. Below are examples of open source contributions in the domain of security engineering.

Fuzz Introspector is an open source program analysis tool that provides introspection capabilities into the fuzzing process. Fuzz Introspector leverages static and dynamic software analysis at it's core, both in the form of compiler extensions, pure static analysis and also coverage-based information from runtime. It supports a wide range of languages: C/C++/Java/Python/Rust/Golang and is a widely used tool for open source fuzzing. For example, Google's OSS-Fuzz project uses Fuzz Introspector to provide insights about more than a thousand open source projects to show how well they are fuzzed and where improvements may be possible. Fuzz Introspector is a tool hosted by the OpenSSF and Ada Logics maintain and contribute to the project.

OpenSSF Scorecard is an open source security tool that allows users to identify supply-chain risk in their GitHub and GitLab hosted projects. Ada Logics handled a major rewrite of Scorecards architecture which enabled users to extract more granular results from their projects. This in turn allowed users to write granular admission policies for the development and runtime environments. For example, some organizations may not want to allow dependencies into their dependency tree if they have employed no testing in their CI pipeline, or some organizations may not allow dependencies if they use a single maintainer. With Scorecards granular results, users can match their high-level supply-chain risk policies at the granular level. We presented this work at Supplychain Securitycon @ The Linux Foundation Open Source Summit in 2024.