Towards systematic software security hardening