Empirical Research for Software Security : Foundations and Experience