120 Domain-Specific Languages for Security

TL;DR

The paper presents the first holistic systematic review of 120 security-oriented domain-specific languages (DSLs), analyzing their security focus, SDLC integration, and evaluation practices. It reveals broad coverage across security subdomains but substantial fragmentation, limited multi-artifact integration, and a general lack of robust empirical validation and tooling support. The authors propose an initial evaluation framework and envision integration scenarios to guide future research, practice, and cross-DSL collaboration. The work highlights opportunities to standardize evaluation, improve usability, and bridge academia and industry, potentially accelerating the practical adoption of security DSLs across software development lifecycles.

Abstract

Security engineering, from security requirements engineering to the implementation of cryptographic protocols, is often supported by domain-specific languages (DSLs). Unfortunately, a lack of knowledge about these DSLs, such as which security aspects are addressed and when, hinders their effective use and further research. This systematic literature review examines 120 security-oriented DSLs based on six research questions concerning security aspects and goals, language-specific characteristics, integration into the software development lifecycle (SDLC), and effectiveness of the DSLs. We observe a high degree of fragmentation, which leads to opportunities for integration. We also need to improve the usability and evaluation of security DSLs.

Figures (12)

• Figure 1: Literature filtering process.
• Figure 2: Communities of the publications from which the DSLs originate
• Figure 3: Publication year of the DSLs and latest update on their publicly available repository or website
• Figure 4: Security aspects addressed by the DSLs
• Figure 5: SDLC phases relevant for using the security DSLs