Software is an essential component to the operation of business information systems, cyber physical systems, and various personal devices. Despite increased awareness and concern about software security threats, current state of the art of software engineering practices are inadequate: new categories of security weaknesses are commonly reported. Challenges that hinder development of secure software start with difficulty of identifying threats and estimating risks. Practices such as incremental software development also pose challenges to software security. This talk discusses through a set of examples how empirical research can help to advance the state of the art of secure software engineering.