Startseite > Fachgruppen > Softwaretechnik > Lehre > Build It, Break It, Fix It WS 2019/2020

Build It, Break It, Fix It WS 2019/2020


This course aims at teaching basic principles of secure software development in a very practical fashion. It is based on the "Break It, Build It, Fix It" security contest by Ruef et al. [1].

The contest is separated into three phases that test the applicant's skills in the fields of building, breaking and fixing software products.

In the "Build It" phase, students will be asked to gather in teams and develop small software projects based on a formal specification, also including security requirements. In the "Break It" phase, the developed software will be exchanged between development teams to break the implementation, i.e., find and exploit security vulnerabilities in code of other teams. Afterward, in the "Fix It" phase, teams will get the chance to fix found vulnerabilities and, hence, render their software product more secure.

The course will contain a theoretical part in which basic strategies of secure software development and vulnerability discovery are presented. Furthermore, specific vulnerability classes and examples of their exploitation will be presented as stimulus at the beginning of the "Break It" phase. Nevertheless, the course is generally of a very practical nature and since securing a software product, as well as breaking it, demands a wide variety of skills and creativity, a quite high amount of motivation and self-organization is required.

The course is designed for full-time work and has a tight schedule. We strongly recommend not to schedule any other duties such as exams, deadlines, work into the period of the course. If you can already foresee that you will be unable to work on this course full time, we strongly recommend you not to take the course.


For attending the course, registration in Paul is required.

To ensure the quality of the course we have limited the number of participants to 60. We might increase the limit depending on funding for WHK who would support in running the course.

Currently (1st August, 11:30) all places are taken. If you are interested in this course and have not already registered, please monitor Paul in case other students deregister or we increase the number of participants.



Course number and language

Course Number: L.079.05813

The teaching language will be English. Questions in German will be permitted.

Time and place

There are the mandatory course appointments. All appointments are c.t.


  • Mo 24.02.2020 08:00 - 12:00 Kickoff „Build It"
  • Tue 03.03.2020 14:00 - 18:00 Kickoff „Break It"
  • Mo 16.03.2020 08:00 - 12:00 Break presentations + Kickoff „Fix It"
  • Mo 23.03.2020 14:00 - 17:00 Final presentations


F 1 110


Students will have to hand in a report of their work at the end of the course. 

The grading for the course will be based on the presentations during the course, the final report and the performance during every phase of the contest. While you shall work as a team, we are going to grade your individual contributions. Details will be announced in the lecture.


  • Bachelor's Degree in Computer Science (or similar).
  • A mature understanding of the Java programming language and software security requirements.
  • Secure software development practices and experience in the field of software exploitation and vulnerability discovery will be helpful. Also, having attended the "Secure Software Engineering" lecture is benefitial for this course.

Learning outcomes

After having attended this course, students will have…

  • gained knowledge and experience in the field of secure software development
  • gained knowledge and experience in the filed of software exploitation as well as vulnerability discovery
  • learned common real world software vulnerabilities and ways of exploiting them

Recommended reading material

  1. Andrew Ruef, Michael Hicks, James Parker, Dave Levin, Michelle L. Mazurek, and Piotr Mardziel. 2016. Build It, Break It, Fix It: Contesting Secure Development. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS '16). ACM, New York, NY, USA, 690-703. DOI: