In software development, selecting appropriate security features is challenging due to ambiguous standards, framework-specific vulnerabilities, and the absence of traceable, implementation-level security feature identifiers. Method: This paper proposes a fine-grained, implementation-oriented security feature taxonomy comprising 68 extensible characteristics; establishes systematic mappings between these features and major security standards (e.g., ISO/IEC 27001, NIST SP 800-53); and conducts reverse-engineering–driven, source-code–based feature modeling to empirically assess the support coverage of 21 widely adopted frameworks (e.g., Spring Security, OAuth 2.0). Contribution/Results: We present the first three-layer alignment—across security standards, framework capabilities, and source-code–level features—enabling precise security feature selection, implementation-level traceability, and long-term compliance auditing. The resulting taxonomy provides a structured semantic foundation and end-to-end traceability for secure software engineering.

Security must be considered in almost every software system. Unfortunately, selecting and implementing security features remains challenging due to the variety of security threats and possible countermeasures. While security standards are intended to help developers, they are usually too abstract and vague to help implement security features, or they merely help configure such. A resource that describes security features at an abstraction level between high-level (i.e., rather too general) and low-level (i.e., rather too specific) security standards could facilitate secure systems development. To realize security features, developers typically use external security frameworks, to minimize implementation mistakes. Even then, developers still make mistakes, often resulting in security vulnerabilities. When security incidents occur or the system needs to be audited or maintained, it is essential to know the implemented security features and, more importantly, where they are located. This task, commonly referred to as feature location, is often tedious and error-prone. Therefore, we have to support long-term tracking of implemented security features. We present a study of security features in the literature and their coverage in popular security frameworks. We contribute (1) a taxonomy of 68 functional implementation-level security features including a mapping to widely used security standards, (2) an examination of 21 popular security frameworks concerning which of these security features they provide, and (3) a discussion on the representation of security features in source code. Our taxonomy aims to aid developers in selecting appropriate security features and frameworks and relating them to security standards when they need to choose and implement security features for a software system.