We are pleased to share this article from Ada Germany that was originally published in February 2025.

This article was contributed by Tobias Philipp (Chair), Christina Unger (Deputy Chair), Dr. Hubert B. Keller, and experts from Ada Deutschland e.V. Many thanks!
Original article (in German): https://gi-radar.de/372-sicherer-durch-ada/

What makes our software so vulnerable?

The majority of today’s technical systems are largely composed of software. As such, the reliability and security of these systems depend heavily on the reliability and security of their software components. And this is precisely where a major problem lies: increasing connectivity and a large number of known vulnerabilities in commonly used software make our systems highly susceptible to attack.

Cyberattacks with significant consequences have, in fact, become almost routine. A Bitkom study on cybercrime dated 5 August 2021 estimated that theft, espionage, and sabotage cause annual damage of €223 billion to the German economy—more than double the amount reported in 2018/19. The study revealed that in 2020/21, nine out of ten companies were affected by cyberattacks.

This not only poses a threat to businesses but also puts critical infrastructure, supply chains, industry as a whole, and networked systems such as autonomous vehicles particularly at risk.

But what exactly makes our software so vulnerable?

The Cybersecurity and Infrastructure Security Agency (CISA) regularly publishes advisories on vulnerabilities in software used in technical systems and maintains a catalog of exploited security issues. Similarly, the CVE program compiles and publishes a catalog from which the “Top 25 Most Dangerous Software Weaknesses” are derived and highlighted.

Reviewing these top 25 weaknesses reveals recurring issues, primarily across two areas.
The first includes everything that enables unauthorized access through falsified identities and manipulated data: insufficient password protection, incorrect user management, insecure transmission of sensitive information, and inadequate validation of input data. Incredibly, even “hard-coded credentials” continue to appear on the list.

The second category concerns implementation errors - incorrect or unsafe coding practices and a lack of code verification. High on the list are memory management errors: out-of-bounds read and write, buffer overflows, null pointer dereferencing, use-after-free, and so forth. Both Microsoft and Google Chrome have confirmed that approximately 70% of the vulnerabilities they address stem from insecure memory handling.

This issue can, to a large extent, be considered a matter of programming language choice—particularly in the absence of suitable memory abstractions. That is one of the reasons behind the NSA’s 2022 fact sheet on secure programming languages, which advocates for languages with safe memory management - such as Ada.

With good reason: programming languages like Ada can systematically prevent entire classes of errors through strong typing and extensive compile-time and runtime checks. In Ada, an array is not merely a pointer to the first element, but a semantic structure that inherently includes its index types and bounds. Read and write operations are verified by both the compiler and at runtime.

Twelve of the Top 25 weaknesses would be precluded by the use of Ada and its syntactic and semantic checking mechanisms at compile and runtime - prevented solely through the choice of programming language, regardless of coding mistakes. A further seven weaknesses could be avoided through correct authentication, authorization, and password management.

What is alarming is that most of these issues continue to appear regularly in the Top 25, despite there being no excuse for any of them. They are, almost without exception, known and well-understood problems that make software vulnerable - flaws we are already aware of and know how to address. The fact that existing knowledge is simply not applied in practice continues to create attack vectors year after year, endangering technical systems from smart homes to critical infrastructure, and incurring immense costs.

To address this risk effectively, sustainably, and in a cost-efficient manner, patching individual weaknesses as they are discovered is not enough. Fundamental change is needed in implementation practices, along with the development of a strong security mindset among all stakeholders - from developers and managers to policymakers and society at large.

The Ada Specialist Group’s wish for a secure 2025 is therefore this: more security by design, more care in user management and communication protocols, and more critical thought in selecting programming languages. Naturally, we recommend Ada.