Software engineering and IT security research unit

IT security is more important than ever before!

Excerpt from an interview with Eric Bodden, Matthias Becker and Matthias Meyer

The objective of the Software engineering and IT security research unit is to create processes, methods and tools for developing secure software-intensive systems. These days, software has a unique level of importance. More and more companies in fields such as plant and mechanical engineering or the automotive industry are recognizing the need to expand their software development expertise — and they are very interested in the solutions our research unit is producing. In this interview, the director, Eric Bodden, and the heads of department, Mattias Becker and Matthias Meyer, explain the reasons for this and outline the services Fraunhofer IEM has to offer.

Why should companies take an interest in secure software development, regardless of the sector they are in?

Matthias Meyer: Because software is used everywhere and it has a significant impact on the value of many products these days — not only in terms of value creation, where software development makes up a large share of product development, but also in terms of the advantages for customers and the user experience. Another factor is that in today’s technical systems, there is no safety without security. Operational safety is inextricably linked with protection against attacks and information security. Even industry standards have now started calling for this to be taken into account, for example, in the plant and mechanical engineering, automation and automotive sectors. We are working together with companies to find ways of implementing these fairly general security recommendations that suit their specific organizations.

Zitat Dr. Matthias Meyer
© Fraunhofer IEM

Are global and geopolitical crises intensifying the need to take an interest in IT security?

Eric Bodden: IT security is more important than ever before, and more and more people are realizing the urgency of the situation. The concept of “critical infrastructure” is being discussed everywhere, from nuclear power stations to retail, logistics and supply chains. Software is used everywhere, and it needs guaranteed protection against attacks at all times. You can’t just go out and buy a universally secure software. That always has to come from individualized configurations, and requires constant reviewing. And the idea of critical supply chains now applies to software development as well, as today, up to 90 percent of software is purchased or obtained through open-source channels. The current geopolitical situation is just one of the many reasons that companies need to become less dependent on external software that lacks transparency.

What can Fraunhofer IEM offer companies that want to pay greater attention to the area of secure software development and IT security?

Matthias Becker: We offer a structured approach with suitable supporting methods and tools. This means we can also provide transparency in relation to the quality of the software and software development processes. We use a threat analysis to identify potential vulnerabilities and then seek out countermeasures. We place particular emphasis on the “secure by design” approach here: our goal is to assess the security of software-intensive systems across their entire life cycles.

Eric Bodden: We are currently working to develop market-ready software tools that support the “secure by design” process. We want to give as many companies as possible the ability to apply this approach. Because they have a higher level of automation, more effective programming and regular backup processes, our “secure by design” tools can unlock a great deal of potential for companies.

Zitat Prof. Dr. Eric Bodden
© Fraunhofer IEM

Let’s take a look at the expertise question: how can security know-how be integrated into companies?

Matthias Becker: IT security cannot just be the development department’s responsibility; it has be on the agenda for the company’s highest-level employees. Many companies need to rethink their approach in this area, and expand their knowledge accordingly. Our range of training courses for developers, product owners and managers addresses precisely this issue. It’s important to us to go beyond just informing our customers about current technology developments; we also want to prepare them for coming challenges.

Zitat Dr. Matthias Becker
© Fraunhofer IEM

What opportunities does the new Secure Engineering Lab open up?

Matthias Meyer: Thanks to the Secure Engineering Lab, we can offer companies a modern infrastructure for software development. We bring companies into the lab for many different reasons, such as collaborating on a joint project, attending workshops and training courses, and learning about best practices. Our powerful software and hardware allows us to demonstrate how advanced software development processes can be created nowadays. The lab also gives companies the opportunity to put together a development infrastructure of their own and test it out right there on our premises.

What fields is the research unit currently focusing on more intensely?

Eric Bodden: We have some exciting new projects in very topical fields, such as “privacy by design,” for example, where we are investigating how companies can prevent data theft and avoid the associated damage to their reputation. We are also using our development methods to tackle challenges relating to software value chains. These days, it’s not just hardware that comes primarily from external suppliers — software also has more complex supply chains now. That adds another layer of complexity when it comes to integration, in terms of both software development processes and IT security.

Department Safe & Secure IoT Systems

The department researches processes, methods and tools for the efficient development and operation of reliable and secure software-intensive systems of the (Industrial) Internet of Things (IoT). We enable high software quality and consider not only functional safety, but especially information security. We place particular emphasis on taking safety and security into account as early as possible and throughout the entire life cycle (safety and security by design). We cooperate with national as well as international companies and research institutions and regularly publish our findings at high-profile scientific conferences and lecture events.

Research groups

Gruppe von Personen, die über ein Flipchart gebeugt steht und dieses diskutiert.
© Fraunhofer IEM

Requirements engineering and design

The group develops methods and tools for requirements analysis and software design of high quality, safe, and secure IoT systems. Our solutions follow the Safety-and-Security-by-Design-principle and align with norms for safety (e.g., ISO 26262), security (e.g., IEC 62443), and process quality (e.g., SPICE). We use model-based methods, e.g., for hazard and threat analysis, requirements engineering, and architecture design. Additionally, we transfer our knowledge into industrial application by coaching-on-the-job and training services.

Gruppe Softwarekonstruktion und -analyse
© Fraunhofer IEM

Software construction and analysis

to techniques for the automatic generation of source code from design models, we are working on highly efficient and precise methods and tools for automated static and dynamic software analysis in order to detect quality problems and, in particular, security vulnerabilities already during development. We focus on programming languages such as C/C++ or the IEC-61131 languages for programmable logic controllers (PLC). A complementary research focus is on solutions for time-of-use analysis of IoT systems to detect anomalies or cyber attacks.

Department Secure services & apps

The department supports local and international companies developing secure services and apps for smartphones (Android and iOS), desktops (Windows, MacOS, Linux), or the web. We support teams from all kinds of sectors, e.g., software, IT consultants, insurance, health, education, and manufacturing to evaluate and improve their processes and train them in efficient and secure software engineering. To automate the security checks of software, we design, build, and evaluate tools that help teams detect potential security risks as early as possible. We want to enable security for everyone, so we focus on the usability of our security tools.

We collaborate with renowned researchers and successful companies worldwide. We regularly publish our research results in peer-reviewed scientific journals and at prestigious conferences.

Research groups

Fachgruppe Entwicklungsteams- und prozesse
© Fraunhofer IEM

Development teams and processes

The group is specialized in empowering development teams and improving their processes – especially in the context of software security. We develop and conduct professional trainings tailored to the company’s domain, technologies, and culture. The participants of our trainings are developers and their stakeholders like product owners, executives, and customers. Our training goal is to raise their awareness and their security competence such that everyone can fulfill its role in the context of software security. In addition, we work closely together with our industry partners to identify security issues in their processes and software as early as possible. We achieve this via consulting, data analytics, and automated monitoring of key performance indicators (KPIs). We focus on improving agile DevOps processes.

Aufgeklappter Laptop, auf dessen Bildschirm verschiedene farbige Diagramme zu sehen sind.
© Fraunhofer IEM

Development tools

The group researches, designs and prototypes developer-centric security checking tools based on our latest program analysis techniques for Java, .NET, JavaScript and other programming languages. Primarily, we develop static code analyses that are fast and report the relevant issues to the user that are easy to explain. Additionally, we combine other methods, such as dynamic analyses or machine-learning to achieve better results, i.e., results that are more relevant to the context of use. An important aspect of our tools is the usability and the workflow integration for software developers. We regularly perform empirical user studies with our tools or others from the market such as CodeQL/Github, Infer/Meta, etc .

Labs and testing facilities


Secure Engineering Lab

Re-think your approach to safety and security and safeguard your software-intensive systems.


Fraunhofer IEM researchers have developed some world-leading software tools. The most important of these are listed below.


The tool  CogniCrypt was developed as part of the special research unit CROSSING at the Technical University of Darmstadt and in cooperation with the Heinz Nixdorf Institute at the University of Paderborn. CogniCrypt helps developers to quickly and reliably identify and fix security-critical misuse of cryptographic libraries. Fraunhofer IEM has now developed this tool to market maturity and makes it available as an open source Eclipse project.

Tablet, auf dem das Werkzeug CogniCrypt zu sehen ist.
© Fraunhofer IEM

Soot ecosystem

Soot  is the world’s leading framework for static and dynamic analysis of Java and Android applications. As a generic framework, it forms the basis for many other Fraunhofer IEM tools and for more than 1,500 other research groups worldwide.

Boomerang and IDEal are extensions to the Soot framework providing highly efficient and accurate pointer analysis and data flow analysis based on it. An analysis based on Soot, Boomerang and IDEal is designed to be “demand-driven,” analyzing only those parts of the program code for which it is necessary. This approach, together with algorithms and program abstractions developed at the Fraunhofer IEM, makes data flow analysis significantly faster without sacrificing precision.


FlowDroid is the world’s leading static data flow analysis tool for Java and Android applications. At its core, it is based on Soot, but extends this to include powerful and accurate data flow analysis and support for Android app analysis. FlowDroid is used by hundreds of research groups around the world and is also used commercially, for example as the basis for security analyses on one of the world’s largest app stores. Like Soot, FlowDroid is also available as open-source software.   


Phasaris the first open-source framework for static program analysis based on the LLVM compiler framework. Phasar is mainly used to analyze C/C++ source code, but can also be used to analyze other programming languages and binary formats that support LLVM. Unlike LLVM itself, Phasar includes call-graph and pointer analyses, as well as a framework for efficient implementation of inter-procedural data flow analyses. Phasar is available as open-source software.

Selected publications concerning software engineering and IT security.

A full list of our publications can be found here.


Geismann, Johannes; Bodden, Eric: A systematic literature review of model-driven security engineering for cyber–physical systems. Journal of Systems and Software, 169, Nov. 2020 (Details)
Koch, Thorsten; Dziwok, Stefan; Holtmann, Jörg; Bodden, Eric: Scenario-based Specification of Security Protocols and Transformation to Security Model Checkers. In: ACM/IEEE 23rd International Conference on Model Driven Engineering Languages and Systems (MODELS ’20), 18. - 23. Okt. 2020, ACM (Details)
Holtmann, Jörg; Steghöfer, Jan-Philipp; Rath, Michael; Schmelter, David: Cutting through the Jungle: Disambiguating Model-based Traceability Terminology. In: Proceedings of the 28th IEEE International Requirements Engineering Conference, 31. Aug. - 4. Sep. 2020, IEEE (Details)
Fischer, Andreas; Fuhry, Benny; Kerschbaum, Florian; Bodden, Eric: Computation on Encrypted Data using Dataflow Authentication. In: Privacy Enhancing Technologies Symposium (PETS/PoPETS), Jul. 2020 (Details)
Benz, Manuel; Krogh Kristensen, Erik; Luo, Linghui; P. Borges Jr., Nataniel; Bodden, Eric; Zeller, Andreas: Heaps'n Leaks: How Heap Snapshots Improve Android Taint Analysis. In: International Conference for Software Engineering (ICSE), Mai 2020 (Details)
Krüger, Stefan; Ali, Karim; Bodden, Eric: CogniCrypt_GEN - Generating Code for the Secure Usage of Crypto APIs. In: International Symposium on Code Generation and Optimization (CGO), S. 185-198, Feb. 2020 (Details)
Nguyen, Lisa; Bodden, Eric: Explaining Static Analysis with Rule Graphs. IEEE Transactions on Software Engineering 2020 (Details)


Piskachev, Goran; Nguyen, Lisa; Johnson, Oshando; Bodden, Eric: SWAN_ASSIST: Semi-Automated Detection of Code-Specific, Security-Relevant Methods. In: IEEE/ACM International Conference on Automated Software Engineering (ASE 2019), Tool Demo Track, Nov. 2019 (Details)
Fazal-Baqaie, Masud; Strüwer, Jan-Niclas; Schmelter, David; Dziwok, Stefan: Coaching on the Job bei Unternehmen des Maschinen- und Anlagenbaus - Wissenslücken schließen zur Weiterpflege modernisierter IT-Anwendungen. In: Mikusz, Martin (Hrsg.) Projektmanagement und Vorgehensmodelle 2019 (PVM 2019), 24. - 25. Okt. 2019 Gesellschaft für Informatik, Lecture Notes in Informatics (LNI) (Details)
Fockel, Markus; Merschjohann, Sven; Fazal-Baqaie, Masud; Förder, Torsten; Hausmann, Stefan; Waldeck, Boris: Designing and Integrating IEC 62443 Compliant Threat Analysis. In: Proceedings of the 26th European System, Software & Service Process Improvement & Innovation Conference (EuroSPI 2019), S. 57--69, Sep. 2019, Springer International Publishing (Details)
Holtmann, Jörg: Improvement of Software Requirements Quality based on Systems Engineering. Dissertation, Fakultät für Elektrotechnik, Informatik und Mathematik, Universität Paderborn, Jun. 2019 (Details)
Wohlers, Benedict; Dziwok, Stefan; Pasic, Faruk; Lipsmeier, Andre ; Becker, Matthias: Monitoring and Control of Production Processes based on Key Performance Indicators for Mechatronic Systems. International Journal of Production Economics 2019 (Details)
Späth, Johannes; Ali, Karim; Bodden, Eric: Context-, Flow-, and Field-sensitive Data-flow Analysis Using Synchronized Pushdown Systems. Proceedings of the ACM SIGPLAN Symposium on Principles of Programming Languages, 3(POPL): S. 48:1--48:29, Jan. 2019 (Details)
Schubert, David; Eikerling, Hendrik; Holtmann, Jörg: Application-aware Intrusion Detection: A Systematic Literature Review and Implications for Automotive Systems. In: 17th escar Europe : embedded security in cars Ruhr-University Bochum, University Library, 2019 (Details)


Fockel, Markus: Safety Requirements Engineering for Early SIL Tailoring. Dissertation, Fakultät für Elektrotechnik, Informatik und Mathematik, Universität Paderborn, Dez. 2018 (Details)
Pohlmann, Uwe; Hüwe, Marcus: Model-driven allocation engineering: specifying and solving constraints based on the example of automotive systems. Automated Software Engineering, Nov. 2018 (Details)
Fockel, Markus; Merschjohann, Sven; Fazal-Baqaie, Masud: Threat Analysis in Practice - Systematically Deriving Security Requirements. In: 19th International Conference on Product-Focused Software Process Improvement (PROFES 2018), LNCS 11271, Nov. 2018, Springer Nature Switzerland AG (Details)
Pohlmann, Uwe: A Model-driven Software Construction Approach for Cyber-physical Systems. Universität Paderborn, Heinz Nixdorf Institut, Softwaretechnik, 2018 (Details)
Pauck, Felix; Bodden, Eric; Wehrheim, Heike: Do Android Taint Analysis Tools Keep their Promises?. In: ESEC/FSE 2018: Joint meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, 4. - 9. Nov. 2018 (Details)


Gerking, Christopher; Bodden, Eric; Schäfer, Wilhelm: Industrial Security by Design - Nachverfolgbare Informationssicherheit für Cyber-Physische Produktionssysteme. In: Maier, Günter W.; Engels, Gregor; Steffen, Eckhard (Hrsg.) Handbuch Gestaltung digitaler und vernetzter Arbeitswelten, Springer Reference Psychologie Springer, Berlin/Heidelberg, Okt. 2017 (Details)
Dziwok, Stefan: Specification and Verification for Real-Time Coordination Protocols of Cyber-physical Systems. Paderborn University, Sep. 2017 (Details)
Nguyen, Lisa; Ali, Karim; Livshits, Benjamin; Bodden, Eric; Smith, Justin; Murphy-Hill, Emerson: Cheetah: Just-in-Time Taint Analysis for Android Apps. In: International Conference for Software Engineering (ICSE), Tool Demonstrations Track, Mai 2017 (Details)
Becker, Matthias: Engineering Self-Adaptive Systems with Simulation-Based Performance Prediction. Universität Paderborn, Heinz Nixdorf Institut, Softwaretechnik, 2017 (Details)
Frieben, Jens: Early Performance Analysis of Automation Systems Based on Systems Engineering Models. Universität Paderborn, Heinz Nixdorf Institut, Softwaretechnik, 2017 (Details)


Platenius, Marie Christin; Becker, Matthias; Hüllermeier, Eyke; Schäfer, Wilhelm: Imprecise Matching of Requirements Specifications for Software Services using Fuzzy Logic. IEEE Transactions on Software Engineering, 43(8): S. 739-759, Dez. 2016 (Details)
Holzinger, Philipp; Triller, Stefan; Bartel, Alexandre; Bodden, Eric: An In-Depth Study of More Than Ten Years of Java Exploitation. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS '16, S. 779-790, Vienna, Austria, 24. - 28. Okt. 2016 (Details)
Holtmann, Jörg; Fockel, Markus; Koch, Thorsten; Schmelter, David: Requirements Engineering - Zusatzaufgabe oder Kernkompetenz?. OBJEKTspektrum, (RE/2016), Jun. 2016 (Details)
Nadi, Sarah; Krüger, Stefan; Mezini, Mira; Bodden, Eric: Jumping Through Hoops: Why do Java Developers Struggle With Cryptography APIs?. In: International Conference for Software Engineering (ICSE), S. 935-946, Mai 2016 (Details)
Holtmann, Jörg; Bernijazov, Ruslan; Meyer, Matthias; Schmelter, David; Tschirner, Christian: Integrated and iterative systems engineering and software requirements engineering for technical systems. Journal of Software Evolution and Process, Mai 2016 (Details)

Got any questions or requests? Please get in touch!

Eric Bodden

Contact Press / Media

Prof. Dr. Eric Bodden

Director Software Engineering and IT Security

Fraunhofer Institute for Mechatronic Systems Design IEM
Zukunftsmeile 1
33102 Paderborn

Phone +49 5251 5465-150

Matthias Meyer

Contact Press / Media

Dr. Matthias Meyer

Head of Department Secure IoT Systems

Fraunhofer Institute for Mechatronic Systems Design IEM
Zukunftsmeile 1
33102 Paderborn

Phone +49 5251 5465-122

Matthias Becker

Contact Press / Media

Dr. Matthias Becker

Head of Department Secure Services & Apps

Fraunhofer Institute for Mechatronic Systems Design IEM
Zukunftsmeile 1
33102 Paderborn

Phone +49 5251 5465-158