Software engineering and IT security research unit

IT security is more important than ever before!

Excerpt from an interview with Prof. Eric Bodden, Dr. Matthias Becker and Dr. Matthias Meyer

The objective of the Software engineering and IT security research unit is to create processes, methods and tools for developing secure software-intensive systems. These days, software has a unique level of importance. More and more companies in fields such as plant and mechanical engineering or the automotive industry are recognizing the need to expand their software development expertise — and they are very interested in the solutions our research unit is producing. In this interview, the director, Prof. Eric Bodden, and the heads of department, Dr. Mattias Becker and Dr. Matthias Meyer, explain the reasons for this and outline the services Fraunhofer IEM has to offer.

Why should companies take an interest in secure software development, regardless of the sector they are in?

Dr. Meyer: Because software is used everywhere and it has a significant impact on the value of many products these days — not only in terms of value creation, where software development makes up a large share of product development, but also in terms of the advantages for customers and the user experience. Another factor is that in today’s technical systems, there is no safety without security. Operational safety is inextricably linked with protection against attacks and information security. Even industry standards have now started calling for this to be taken into account, for example, in the plant and mechanical engineering, automation and automotive sectors. We are working together with companies to find ways of implementing these fairly general security recommendations that suit their specific organizations.

Zitat Dr. Matthias Meyer
© Fraunhofer IEM

Are global and geopolitical crises intensifying the need to take an interest in IT security?

Prof. Bodden: IT security is more important than ever before, and more and more people are realizing the urgency of the situation. The concept of “critical infrastructure” is being discussed everywhere, from nuclear power stations to retail, logistics and supply chains. Software is used everywhere, and it needs guaranteed protection against attacks at all times. You can’t just go out and buy a universally secure software. That always has to come from individualized configurations, and requires constant reviewing. And the idea of critical supply chains now applies to software development as well, as today, up to 90 percent of software is purchased or obtained through open-source channels. The current geopolitical situation is just one of the many reasons that companies need to become less dependent on external software that lacks transparency.

What can Fraunhofer IEM offer companies that want to pay greater attention to the area of secure software development and IT security?

Dr. Becker: We offer a structured approach with suitable supporting methods and tools. This means we can also provide transparency in relation to the quality of the software and software development processes. We use a threat analysis to identify potential vulnerabilities and then seek out countermeasures. We place particular emphasis on the “secure by design” approach here: our goal is to assess the security of software-intensive systems across their entire life cycles.

Prof. Bodden: We are currently working to develop market-ready software tools that support the “secure by design” process. We want to give as many companies as possible the ability to apply this approach. Because they have a higher level of automation, more effective programming and regular backup processes, our “secure by design” tools can unlock a great deal of potential for companies.

Zitat Prof. Dr. Eric Bodden
© Fraunhofer IEM

Let’s take a look at the expertise question: how can security know-how be integrated into companies?

Dr. Becker: IT security cannot just be the development department’s responsibility; it has be on the agenda for the company’s highest-level employees. Many companies need to rethink their approach in this area, and expand their knowledge accordingly. Our range of training courses for developers, product owners and managers addresses precisely this issue. It’s important to us to go beyond just informing our customers about current technology developments; we also want to prepare them for coming challenges.

Zitat Dr. Matthias Becker
© Fraunhofer IEM

What opportunities does the new Secure Engineering Lab open up?

Dr. Meyer: Thanks to the Secure Engineering Lab, we can offer companies a modern infrastructure for software development. We bring companies into the lab for many different reasons, such as collaborating on a joint project, attending workshops and training courses, and learning about best practices. Our powerful software and hardware allows us to demonstrate how advanced software development processes can be created nowadays. The lab also gives companies the opportunity to put together a development infrastructure of their own and test it out right there on our premises.

What fields is the research unit currently focusing on more intensely?

Prof. Bodden: We have some exciting new projects in very topical fields, such as “privacy by design,” for example, where we are investigating how companies can prevent data theft and avoid the associated damage to their reputation. We are also using our development methods to tackle challenges relating to software value chains. These days, it’s not just hardware that comes primarily from external suppliers — software also has more complex supply chains now. That adds another layer of complexity when it comes to integration, in terms of both software development processes and IT security.

Research groups

Gruppe von Personen, die über ein Flipchart gebeugt steht und dieses diskutiert.
© Fraunhofer IEM

Requirements analysis and design

The requirements analysis and sesign group develops methods and tools for requirements analysis and software design of high-quality, secure IoT systems. Our solutions are based on the principle of safety and security by design and are aligned with industry standards for safety (e.g. ISO 26262), security (e.g. IEC 62443) and process quality (e.g. SPICE). We use model-based methods, e.g. for hazard and threat analyses, requirements engineering and architecture design. We also transfer our knowledge to industrial applications through coaching on the job and training courses.

Gruppe Softwarekonstruktion und -analyse
© Fraunhofer IEM

Software design and analysis

The software design and analysis group researches methods and tools for creating secure software for IoT systems. In addition to techniques for automatic generation of source code from design models, we work on highly efficient and precise methods and tools for automated static and dynamic software analysis so that quality issues and, in particular, security vulnerabilities can be identified as early as the development stage. We focus on programming languages such as C/C++ or the IEC-61131 languages for programmable logic controllers. One complementary research topic is solutions for analyzing IoT systems at time-of-use with a view to detecting anomalies or cyber attacks.

Secure services & apps department

The secure services & apps department assists companies with the development of secure back-end and front-end software. Following the security-by-design principle, we offer solutions for smartphones (Android and iOS), desktop (Windows, macOS, Linux) and browser applications. We support teams from a variety of industries — from software, IT consulting, insurance, healthcare and education to manufacturing companies. The aim of our research is to provide software developers with the right knowledge and the best tools to make their software more secure over the long term.

Research groups

Fachgruppe Entwicklungsteams- und prozesse
© Fraunhofer IEM

Development teams and processes

The development teams and processes group specializes in enabling companies to develop secure software and optimize their processes. We design and deliver training that is tailored to the individual requirements of industries, technologies and companies. Our training courses are aimed at software developers as well as their stakeholders such as product owners, managers and end customers. Our aim is to raise awareness and improve security skills in the business so that every team member can contribute to software security in the best possible way. In addition, we support industry partners through consulting, data analysis and the introduction of key performance indicators (KPIs). One area of focus is the improvement of agile DevOps processes.

Aufgeklappter Laptop, auf dessen Bildschirm verschiedene farbige Diagramme zu sehen sind.
© Fraunhofer IEM

Development tools

The development tools group researches, designs and develops prototype tools for developers so they can analyze software vulnerabilities using the latest program analysis techniques for Java, .NET, JavaScript and other programming languages. We focus on tools for static code analysis that are particularly fast and report relevant issues to users in an easily understandable way. In addition, we combine other methods, such as dynamic analysis or machine learning, in order to obtain vulnerability analyses with even greater relevance.

Labs and testing facilities


Secure Engineering Lab

Re-think your approach to safety and security and safeguard your software-intensive systems.


Fraunhofer IEM researchers have developed some world-leading software tools. The most important of these are listed below.


The tool  CogniCrypt was developed as part of the special research unit CROSSING at the Technical University of Darmstadt and in cooperation with the Heinz Nixdorf Institute at the University of Paderborn. CogniCrypt helps developers to quickly and reliably identify and fix security-critical misuse of cryptographic libraries. Fraunhofer IEM has now developed this tool to market maturity and makes it available as an open source Eclipse project.

Tablet, auf dem das Werkzeug CogniCrypt zu sehen ist.
© Fraunhofer IEM

Soot ecosystem

Soot  is the world’s leading framework for static and dynamic analysis of Java and Android applications. As a generic framework, it forms the basis for many other Fraunhofer IEM tools and for more than 1,500 other research groups worldwide.

Boomerang and IDEal are extensions to the Soot framework providing highly efficient and accurate pointer analysis and data flow analysis based on it. An analysis based on Soot, Boomerang and IDEal is designed to be “demand-driven,” analyzing only those parts of the program code for which it is necessary. This approach, together with algorithms and program abstractions developed at the Fraunhofer IEM, makes data flow analysis significantly faster without sacrificing precision.


FlowDroid is the world’s leading static data flow analysis tool for Java and Android applications. At its core, it is based on Soot, but extends this to include powerful and accurate data flow analysis and support for Android app analysis. FlowDroid is used by hundreds of research groups around the world and is also used commercially, for example as the basis for security analyses on one of the world’s largest app stores. Like Soot, FlowDroid is also available as open-source software.   


Phasaris the first open-source framework for static program analysis based on the LLVM compiler framework. Phasar is mainly used to analyze C/C++ source code, but can also be used to analyze other programming languages and binary formats that support LLVM. Unlike LLVM itself, Phasar includes call-graph and pointer analyses, as well as a framework for efficient implementation of inter-procedural data flow analyses. Phasar is available as open-source software.

Selected publications concerning software engineering and IT security.

A full list of our publications can be found here.


Geismann, Johannes; Bodden, Eric: A systematic literature review of model-driven security engineering for cyber–physical systems. Journal of Systems and Software, 169, Nov. 2020 (Details)
Koch, Thorsten; Dziwok, Stefan; Holtmann, Jörg; Bodden, Eric: Scenario-based Specification of Security Protocols and Transformation to Security Model Checkers. In: ACM/IEEE 23rd International Conference on Model Driven Engineering Languages and Systems (MODELS ’20), 18. - 23. Okt. 2020, ACM (Details)
Holtmann, Jörg; Steghöfer, Jan-Philipp; Rath, Michael; Schmelter, David: Cutting through the Jungle: Disambiguating Model-based Traceability Terminology. In: Proceedings of the 28th IEEE International Requirements Engineering Conference, 31. Aug. - 4. Sep. 2020, IEEE (Details)
Fischer, Andreas; Fuhry, Benny; Kerschbaum, Florian; Bodden, Eric: Computation on Encrypted Data using Dataflow Authentication. In: Privacy Enhancing Technologies Symposium (PETS/PoPETS), Jul. 2020 (Details)
Benz, Manuel; Krogh Kristensen, Erik; Luo, Linghui; P. Borges Jr., Nataniel; Bodden, Eric; Zeller, Andreas: Heaps'n Leaks: How Heap Snapshots Improve Android Taint Analysis. In: International Conference for Software Engineering (ICSE), Mai 2020 (Details)
Krüger, Stefan; Ali, Karim; Bodden, Eric: CogniCrypt_GEN - Generating Code for the Secure Usage of Crypto APIs. In: International Symposium on Code Generation and Optimization (CGO), S. 185-198, Feb. 2020 (Details)
Nguyen, Lisa; Bodden, Eric: Explaining Static Analysis with Rule Graphs. IEEE Transactions on Software Engineering 2020 (Details)


Piskachev, Goran; Nguyen, Lisa; Johnson, Oshando; Bodden, Eric: SWAN_ASSIST: Semi-Automated Detection of Code-Specific, Security-Relevant Methods. In: IEEE/ACM International Conference on Automated Software Engineering (ASE 2019), Tool Demo Track, Nov. 2019 (Details)
Fazal-Baqaie, Masud; Strüwer, Jan-Niclas; Schmelter, David; Dziwok, Stefan: Coaching on the Job bei Unternehmen des Maschinen- und Anlagenbaus - Wissenslücken schließen zur Weiterpflege modernisierter IT-Anwendungen. In: Mikusz, Martin (Hrsg.) Projektmanagement und Vorgehensmodelle 2019 (PVM 2019), 24. - 25. Okt. 2019 Gesellschaft für Informatik, Lecture Notes in Informatics (LNI) (Details)
Fockel, Markus; Merschjohann, Sven; Fazal-Baqaie, Masud; Förder, Torsten; Hausmann, Stefan; Waldeck, Boris: Designing and Integrating IEC 62443 Compliant Threat Analysis. In: Proceedings of the 26th European System, Software & Service Process Improvement & Innovation Conference (EuroSPI 2019), S. 57--69, Sep. 2019, Springer International Publishing (Details)
Holtmann, Jörg: Improvement of Software Requirements Quality based on Systems Engineering. Dissertation, Fakultät für Elektrotechnik, Informatik und Mathematik, Universität Paderborn, Jun. 2019 (Details)
Wohlers, Benedict; Dziwok, Stefan; Pasic, Faruk; Lipsmeier, Andre ; Becker, Matthias: Monitoring and Control of Production Processes based on Key Performance Indicators for Mechatronic Systems. International Journal of Production Economics 2019 (Details)
Späth, Johannes; Ali, Karim; Bodden, Eric: Context-, Flow-, and Field-sensitive Data-flow Analysis Using Synchronized Pushdown Systems. Proceedings of the ACM SIGPLAN Symposium on Principles of Programming Languages, 3(POPL): S. 48:1--48:29, Jan. 2019 (Details)
Schubert, David; Eikerling, Hendrik; Holtmann, Jörg: Application-aware Intrusion Detection: A Systematic Literature Review and Implications for Automotive Systems. In: 17th escar Europe : embedded security in cars Ruhr-University Bochum, University Library, 2019 (Details)


Fockel, Markus: Safety Requirements Engineering for Early SIL Tailoring. Dissertation, Fakultät für Elektrotechnik, Informatik und Mathematik, Universität Paderborn, Dez. 2018 (Details)
Pohlmann, Uwe; Hüwe, Marcus: Model-driven allocation engineering: specifying and solving constraints based on the example of automotive systems. Automated Software Engineering, Nov. 2018 (Details)
Fockel, Markus; Merschjohann, Sven; Fazal-Baqaie, Masud: Threat Analysis in Practice - Systematically Deriving Security Requirements. In: 19th International Conference on Product-Focused Software Process Improvement (PROFES 2018), LNCS 11271, Nov. 2018, Springer Nature Switzerland AG (Details)
Pohlmann, Uwe: A Model-driven Software Construction Approach for Cyber-physical Systems. Universität Paderborn, Heinz Nixdorf Institut, Softwaretechnik, 2018 (Details)
Pauck, Felix; Bodden, Eric; Wehrheim, Heike: Do Android Taint Analysis Tools Keep their Promises?. In: ESEC/FSE 2018: Joint meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, 4. - 9. Nov. 2018 (Details)


Gerking, Christopher; Bodden, Eric; Schäfer, Wilhelm: Industrial Security by Design - Nachverfolgbare Informationssicherheit für Cyber-Physische Produktionssysteme. In: Maier, Günter W.; Engels, Gregor; Steffen, Eckhard (Hrsg.) Handbuch Gestaltung digitaler und vernetzter Arbeitswelten, Springer Reference Psychologie Springer, Berlin/Heidelberg, Okt. 2017 (Details)
Dziwok, Stefan: Specification and Verification for Real-Time Coordination Protocols of Cyber-physical Systems. Paderborn University, Sep. 2017 (Details)
Nguyen, Lisa; Ali, Karim; Livshits, Benjamin; Bodden, Eric; Smith, Justin; Murphy-Hill, Emerson: Cheetah: Just-in-Time Taint Analysis for Android Apps. In: International Conference for Software Engineering (ICSE), Tool Demonstrations Track, Mai 2017 (Details)
Becker, Matthias: Engineering Self-Adaptive Systems with Simulation-Based Performance Prediction. Universität Paderborn, Heinz Nixdorf Institut, Softwaretechnik, 2017 (Details)
Frieben, Jens: Early Performance Analysis of Automation Systems Based on Systems Engineering Models. Universität Paderborn, Heinz Nixdorf Institut, Softwaretechnik, 2017 (Details)


Platenius, Marie Christin; Becker, Matthias; Hüllermeier, Eyke; Schäfer, Wilhelm: Imprecise Matching of Requirements Specifications for Software Services using Fuzzy Logic. IEEE Transactions on Software Engineering, 43(8): S. 739-759, Dez. 2016 (Details)
Holzinger, Philipp; Triller, Stefan; Bartel, Alexandre; Bodden, Eric: An In-Depth Study of More Than Ten Years of Java Exploitation. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS '16, S. 779-790, Vienna, Austria, 24. - 28. Okt. 2016 (Details)
Holtmann, Jörg; Fockel, Markus; Koch, Thorsten; Schmelter, David: Requirements Engineering - Zusatzaufgabe oder Kernkompetenz?. OBJEKTspektrum, (RE/2016), Jun. 2016 (Details)
Nadi, Sarah; Krüger, Stefan; Mezini, Mira; Bodden, Eric: Jumping Through Hoops: Why do Java Developers Struggle With Cryptography APIs?. In: International Conference for Software Engineering (ICSE), S. 935-946, Mai 2016 (Details)
Holtmann, Jörg; Bernijazov, Ruslan; Meyer, Matthias; Schmelter, David; Tschirner, Christian: Integrated and iterative systems engineering and software requirements engineering for technical systems. Journal of Software Evolution and Process, Mai 2016 (Details)

Ihre Ansprechpartner

Eric Bodden

Contact Press / Media

Prof. Dr. Eric Bodden

Director Software Engineering and IT Security

Fraunhofer Institute for Mechatronic Systems Design IEM
Zukunftsmeile 1
33102 Paderborn

Phone +49 5251 5465-150

Matthias Meyer

Contact Press / Media

Dr. Matthias Meyer

Head of Department Software Engineering and IT Security

Fraunhofer Institute for Mechatronic Systems Design IEM
Zukunftsmeile 1
33102 Paderborn

Phone +49 5251 5465-122

Matthias Becker

Contact Press / Media

Dr. Matthias Becker

Group Manager Digital Services & Apps

Fraunhofer Institute for Mechatronic Systems Design IEM
Zukunftsmeile 1
33102 Paderborn

Phone +49 5251 5465-158