Empowering Software Engineers to Design More Secure Web Applications: Guidelines and Potential of Using LLMs as a Recommender Tool

Journal article, 2026

As software applications get increasingly connected and complex, cybersecurity becomes more and more important to consider during development and evaluation. Software engineers need to be aware of various security threats and the countermeasures that can be taken to mitigate them. Currently, there is a lack of guidance for software engineers aiming to develop secure web applications. We conducted a design science research study, resulting in a set of guidelines to aid software engineers in developing secure web applications. The set of guidelines was constructed based on interview data with 10 industry practitioners. These guidelines were then evaluated using a survey with 28 respondents. Additionally, we conducted experiments in which we provided a large language model with our guidelines and vulnerability reports as input. The large language model should extend the given vulnerability reports by recommending which of our guidelines can help prevent the given vulnerability in the future. The extended reports were evaluated by two external researchers experienced in cyber security and one author. Our results indicate that developers consider using these proposed guidelines for the development and assessment of secure web applications in different stages of the software development lifecycle. Our results also show that it is possible to automatically enhance vulnerability reports to support developers meaningfully and that the guidelines recommended by the large language model are useful to prevent the respective vulnerabilities in the future.