Prior security development research lacks empirical grounding, particularly regarding engineers’ practical challenges in industrially engineering and maintaining security features (e.g., encryption, access control). Method: We conducted a qualitative study involving semi-structured interviews with 26 experienced practitioners, followed by thematic coding to empirically validate and refine four prevalent industry assumptions. Contribution/Results: We identify three core challenges: (1) ambiguous security trade-off decisions, (2) severe documentation deficits, and (3) excessive maintenance burden during system evolution. We further characterize recurring code patterns and maintenance bottlenecks associated with security features. This work fills a critical gap in empirical security engineering research and provides actionable, evidence-based insights for designing security tools, IDE plugins, and engineering guidelines—thereby bridging the theory–practice divide in secure software development.

Software security is of utmost importance for most software systems. Developers must systematically select, plan, design, implement, and especially maintain and evolve security features -- functionalities to mitigate attacks or protect personal data such as cryptography or access control, to ensure the security of their software. While security features are usually available in libraries, additional code needs to be written and maintained to integrate security features and not all desired features can be reused this way. While there have been studies on the use of such libraries, surprisingly little is known about how developers engineer security features, how they select what security features to implement, and the implications on maintenance. We therefore currently rely on assumptions that are largely based on common sense or individual examples. However, researchers require hard empirical data to understand what practitioners need and how they view security, which we currently lack to provide them with effective solutions. We contribute an exploratory study with 26 knowledgeable industrial participants. We study how security features of software systems are selected and engineered in practice, what their code-level characteristics are, and the challenges practitioners face. Based on the empirical data gathered, we validate four common assumptions and gain insights into engineering practices.