Coock+ project SECDES

Exploring how SaaS-teams can adopt security by design without slowing innovation.

Companies that build Software-as-a-Service (SaaS) solutions face unique security challenges. Their architectures are often complex, involving multiple technologies, integrations, and cloud-based deployments. This complexity makes it difficult to embed robust security measures directly into the design. As a result, many organizations either postpone security until late in development or rely on ad-hoc solutions, leaving applications exposed to cyberattacks and data breaches.

At the same time, the pressure to demonstrate trustworthy security practices is rapidly increasing. Customers are becoming more vigilant about the safety of the software they use, with growing awareness of supply chain risks. Legislators have also raised the bar through frameworks such as NIS2 and CRA, requiring companies to provide evidence of how their software is secured. For small and medium-sized enterprises, especially those developing SaaS products, these demands are particularly heavy: resources are scarce, but the need to prove security maturity is urgent.

The SECDES project addresses exactly that gap. By making advanced methods from security engineering accessible and practical, we aim to support companies in integrating security-by-design into their development processes. Our goal is to lower the barriers for adopting modern, cost-efficient, and lightweight security approaches, enabling businesses to confidently design, test, and report on the security of their SaaS products. In doing so, we help them strengthen their competitiveness, accelerate time-to-market, and build digital services that customers can trust.

The project is aimed primarily at small and medium-sized companies in Flanders that develop and deliver SaaS solutions, including firms that complement physical products with online platforms. These organizations often have limited in-house expertise but face the same complex security challenges as larger players. By participating, they gain access to knowledge, tools, and guidance that would otherwise remain out of reach.

Focus of the project

The project revolves around three core areas that together cover the entire journey from knowledge to practice: building and translating expertise, offering practical tooling, and supporting effective documentation and reporting. By advancing in each of these areas, companies can steadily mature their security capabilities and move towards a full security-by-design culture.

Knowledge Buildup and Translation
This focus area ensures that companies gain both awareness and actionable insights into secure software development. Many organizations lack deep expertise in cybersecurity, and the tools available are often documented only for simple cases, not for the complex SaaS environments in which our target group operates. This project collects, structures, and translates cutting-edge research results—such as threat modeling methods, application analysis, and security testing techniques—into practical blueprints and case studies. The emphasis lies on making complex security principles understandable and directly relevant to industry needs. Through this effort, companies can learn to identify vulnerabilities early, understand trade-offs between design choices, and build secure architectures that align with their business goals. By grounding knowledge in realistic SaaS scenarios, we bridge the gap between academic research and day-to-day software engineering practice.
Practical Tooling
Even with strong theoretical understanding, companies need tangible tools to put security-by-design into practice. The second focus area equips them with hands-on resources to secure both the architecture and deployment of their applications. We provide evaluation frameworks and trade-off analyses that help businesses select the right security tools for their specific environments. This includes vulnerability scanners, automated testing frameworks, and methods for integrating security checks into the software development life cycle. The project also delivers demonstrators that show how tools can be realistically applied in cloud-based SaaS setups, making their value concrete and relatable. By lowering the learning curve and tailoring the use of tools to complex architectures, we empower companies to move from theory to action—detecting and mitigating risks before they can be exploited.
Documentation & Reporting
Security is only credible when it can be demonstrated. That is why the third focus area is dedicated to documentation and reporting. Companies often struggle to present their security posture in a structured and convincing way, whether towards customers, regulators, or internal stakeholders. This project supports them in developing clear, standardized templates for security reporting. These cover not only the architecture and design decisions, but also the testing strategies and operational safeguards in place. By offering guidance on what to document and how to present it, we help businesses communicate their security maturity transparently and confidently. Effective reporting not only supports compliance with regulatory requirements, but also strengthens customer trust and positions companies as reliable partners in the digital ecosystem.

By lowering the barriers to adopting secure-by-design practices, this project will have a direct economic and societal impact. Companies will reduce the costs and risks associated with cyber incidents, while also accelerating the development of secure products. Stronger security will become a competitive advantage, opening doors to international markets and shortening sales cycles. On a broader level, this project fosters a culture of trust and resilience in the digital economy: as more businesses embed security into their DNA, confidence in digital services grows across the ecosystem.

We warmly invite all interested companies, partners, and stakeholders to join us in this initiative. Whether you are building SaaS products, offering complementary services, or simply want to strengthen your approach to security, your participation will help shape a stronger and safer digital future.