Build It, Break It, Fix It SS2017

Course material

The contest website will be the most important source of material for you:

Build it slides

Break it slides

Fix it slides

Course number and language


The teaching language will be English. Questions in German will be permitted.


This course aims at teaching basic principles of secure software development in a very practical fashion. It is based on the "Break It, Build It, Fix It" security contest by Ruef et al. [1].

The contest is separated into three phases that test the applicant's skills in the fields of building, breaking and fixing software products.

In the "Build It" phase, students will be asked to gather in teams and develop small software projects based on a formal specification, also including security requirements. In the "Break It" phase, the developed software will be exchanged between development teams to break the implementation, i.e., find and exploit security vulnerabilities in code of other teams. Afterward, in the "Fix It" phase, teams will get the chance to fix found vulnerabilities and, hence, render their software product more secure.

The course will contain a theoretical part in which basic strategies of secure software development and vulnerability discovery are presented. Furthermore, specific vulnerability classes and examples of their exploitation will be presented as stimulus at the beginning of the "Break It" phase. Nevertheless, the course is generally of a very practical nature and since securing a software product, as well as breaking it, demands a wide variety of skills and creativity, a quite high amount of motivation and self-organization is required.

Time and place

There will be a mandatory kickoff session for each phase of the lecture and a mandatory final session where students are asked to present their results. Additionally, three question and answer sessions are provided which can be visited on a voluntary basis.


  • 31.7.2017 10 AM s.t. - 3 PM Kickoff „Build It"
  • 03.8.2017 10 AM s.t. - 1 PM Q&A session 1 (voluntary)
  • 07.8.2017 10 AM s.t. - 3 PM Intermediate presentations + Kickoff „Break It"
  • 10.8.2017 10 AM s.t. - 1 PM Q&A session 2 (voluntary)
  • 14.8.2017 10 AM s.t. - 3 PM Intermediate presentations + Kickoff „Fix It"
  • 17.8.2017 10 AM s.t. - 1 PM Q&A session 3 (voluntary)
  • 21.8.2017 10 AM s.t. - 1 PM Final presentations


F 1 110


The exam will be an oral exam.

Time and Place: tba

Also, students will have to hand in a report of their work at the end of the course. 

The grading for the course will be based on performance in the exam, the presentations during the course, the final report, and the performance during every phase of the contest.


  • Bachelor's Degree in Computer Science (or similar).
  • A mature understanding of the Java programming language and software security requirements.
  • Secure software development practices and experience in the field of software exploitation and vulnerability discovery will be helpful.

Learning outcomes

After having attended this course, students will have…

  • gained knowledge and experience in the field of secure software development
  • gained knowledge and experience in the filed of software exploitation as well as vulnerability discovery
  • learned common real world software vulnerabilities and ways of exploiting them

Recommended reading material

  1. Andrew Ruef, Michael Hicks, James Parker, Dave Levin, Michelle L. Mazurek, and Piotr Mardziel. 2016. Build It, Break It, Fix It: Contesting Secure Development. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS '16). ACM, New York, NY, USA, 690-703. DOI: