diff --git a/README.md b/README.md
index d02a34e..369fa79 100644
--- a/README.md
+++ b/README.md
@@ -29,9 +29,10 @@ The buildpack will do the following:
 The buildpack optionally accepts the following bindings:
 
 ### Type: `maven`
-|Secret | Description
-|-----|--------------
-|`settings.xml` | If present, `--settings=<path/to/settings.xml>` is prepended to the `maven` arguments
+|Secret                  | Description
+|------------------------|--------------
+|`settings.xml`          | If present `--settings=<path/to/settings.xml>` is prepended to the `maven` arguments
+|`settings-security.xml` | If present `-Dsettings.security=<path/to/settings-security.xml>` is prepended to the `maven` arguments
 
 ### Type: `dependency-mapping`
 |Key                   | Value   | Description
diff --git a/maven/build.go b/maven/build.go
index 05f5911..400dc3e 100644
--- a/maven/build.go
+++ b/maven/build.go
@@ -139,13 +139,14 @@ func (b Build) Build(context libcnb.BuildContext) (libcnb.BuildResult, error) {
 }
 
 func handleMavenSettings(binding libcnb.Binding, args []string, md map[string]interface{}) ([]string, error) {
-	path, ok := binding.SecretFilePath("settings.xml")
+	settingsPath, ok := binding.SecretFilePath("settings.xml")
 	if !ok {
 		return args, nil
 	}
-	args = append([]string{fmt.Sprintf("--settings=%s", path)}, args...)
+	args = append([]string{fmt.Sprintf("--settings=%s", settingsPath)}, args...)
+
 	hasher := sha256.New()
-	settingsFile, err := os.Open(path)
+	settingsFile, err := os.Open(settingsPath)
 	if err != nil {
 		return nil, fmt.Errorf("unable to open settings.xml\n%w", err)
 	}
@@ -153,6 +154,23 @@ func handleMavenSettings(binding libcnb.Binding, args []string, md map[string]in
 		return nil, fmt.Errorf("error hashing settings.xml\n%w", err)
 	}
 	md["settings-sha256"] = hex.EncodeToString(hasher.Sum(nil))
+
+	settingsSecurityPath, ok := binding.SecretFilePath("settings-security.xml")
+	if !ok {
+		return args, nil
+	}
+	args = append([]string{fmt.Sprintf("-Dsettings.security=%s", settingsSecurityPath)}, args...)
+
+	hasher.Reset()
+	settingsSecurityFile, err := os.Open(settingsSecurityPath)
+	if err != nil {
+		return nil, fmt.Errorf("unable to open settings-security.xml\n%w", err)
+	}
+	if _, err := io.Copy(hasher, settingsSecurityFile); err != nil {
+		return nil, fmt.Errorf("error hashing settings-security.xml\n%w", err)
+	}
+	md["settings-security-sha256"] = hex.EncodeToString(hasher.Sum(nil))
+
 	return args, nil
 }
 
diff --git a/maven/build_test.go b/maven/build_test.go
index ea7fc1b..58d144c 100644
--- a/maven/build_test.go
+++ b/maven/build_test.go
@@ -198,6 +198,73 @@ func testBuild(t *testing.T, context spec.G, it spec.S) {
 			Expect(mdMap["settings-sha256"]).To(Equal(expected))
 		})
 	})
+
+	context("maven settings incl. settings-security bindings exists", func() {
+		var result libcnb.BuildResult
+
+		it.Before(func() {
+			var err error
+			ctx.StackID = "test-stack-id"
+			ctx.Platform.Path, err = ioutil.TempDir("", "maven-test-platform")
+			Expect(ioutil.WriteFile(filepath.Join(ctx.Application.Path, "mvnw"), []byte{}, 0644)).To(Succeed())
+			ctx.Platform.Bindings = libcnb.Bindings{
+				{
+					Name: "some-maven",
+					Type: "maven",
+					Secret: map[string]string{
+						"settings.xml":          "maven-settings-content",
+						"settings-security.xml": "maven-settings-security-content",
+					},
+					Path: filepath.Join(ctx.Platform.Path, "bindings", "some-maven"),
+				},
+			}
+			mavenSettingsPath, ok := ctx.Platform.Bindings[0].SecretFilePath("settings.xml")
+			Expect(os.MkdirAll(filepath.Dir(mavenSettingsPath), 0777)).To(Succeed())
+			Expect(ok).To(BeTrue())
+			Expect(ioutil.WriteFile(
+				mavenSettingsPath,
+				[]byte("maven-settings-content"),
+				0644,
+			)).To(Succeed())
+
+			mavenSettingsSecurityPath, ok := ctx.Platform.Bindings[0].SecretFilePath("settings-security.xml")
+			Expect(os.MkdirAll(filepath.Dir(mavenSettingsSecurityPath), 0777)).To(Succeed())
+			Expect(ok).To(BeTrue())
+			Expect(ioutil.WriteFile(
+				mavenSettingsSecurityPath,
+				[]byte("maven-settings-security-content"),
+				0644,
+			)).To(Succeed())
+
+			result, err = mavenBuild.Build(ctx)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(result.Layers).To(HaveLen(2))
+		})
+
+		it.After(func() {
+			Expect(os.RemoveAll(ctx.Platform.Path)).To(Succeed())
+		})
+
+		it("provides -Dsettings.security and --settings argument to maven", func() {
+			Expect(result.Layers[1].(libbs.Application).Arguments).To(Equal([]string{
+				fmt.Sprintf("-Dsettings.security=%s", filepath.Join(ctx.Platform.Path, "bindings", "some-maven", "settings-security.xml")),
+				fmt.Sprintf("--settings=%s", filepath.Join(ctx.Platform.Path, "bindings", "some-maven", "settings.xml")),
+				"test-argument",
+			}))
+		})
+
+		it("adds the hash of settings-security.xml and settings.xml to the layer metadata", func() {
+			md := result.Layers[1].(libbs.Application).LayerContributor.ExpectedMetadata
+			mdMap, ok := md.(map[string]interface{})
+			Expect(ok).To(BeTrue())
+			// expected: sha256 of the string "maven-settings-content"
+			expected := "cc784f356a8efb8e138b99aabe8b1c813a3e921b059c48a0b39b2497a2c478c5"
+			Expect(mdMap["settings-sha256"]).To(Equal(expected))
+			// expected: sha256 of the string "maven-settings-security-content"
+			expected = "91dff74ef3ab7f5ccb5808b32c30d2ab35b9f699d9a613c05a7f45eb83dd4c3a"
+			Expect(mdMap["settings-security-sha256"]).To(Equal(expected))
+		})
+	})
 }
 
 type FakeApplicationFactory struct{}