This study addresses the significant abstraction gap between security-by-design specifications—typically expressed in domain-specific languages (DSLs)—and code-level analyzers, which impedes the traceability of design intent to implementation vulnerabilities. It presents the first large-scale empirical investigation, examining 559 security checks across 36 analyzers and 66 security design DSLs. The authors introduce SecLan, a unified model that captures shared security concepts between these two layers, and validate its structure through expert evaluation involving 22 practitioners and qualitative interviews with 9 additional experts. The findings reveal a pronounced mismatch between security concepts at the design and implementation levels, with existing analyzer checks often relying on overly broad vulnerability descriptions, leading to ambiguous mappings. This work provides both an empirical foundation and a modeling framework to bridge the gap between security design and implementation.

When assessing the potential impact of code-level vulnerabilities, e.g., discovered by automated analyzers, it is essential to consider them in the context of the system's security design. However, this is a challenging task due to the abstraction gap between security design, often specified using security DSLs, and implementation. As we will show, even security experts lack a complete understanding of this relationship. Intrigued by this gap (and the general disconnect between secure design and secure implementation) we present a study of 66 design-level security DSLs and 559 security checks from 36 code-level analyzers. We identify what concepts are common to both and capture them in the SecLan model, which has been validated by 22 security experts. Based on this, we investigate the relationship between DSLs and analyzers quantitatively and explore it qualitatively together with 9 security experts. We learn that there are few commonalities between design-level and implementation-level security; security checks are often described by overly general weaknesses, resulting in many non-obvious potential relationships between security DSLs and analyzers; and even security experts are overwhelmed by this complexity. We provide an empirical basis that helps practitioners and researchers better understand the gap and serves as a first step toward bridging it.