Startseite > Fachgruppen > Softwaretechnik > Lehre > Vorlesungsarchiv > SS2018 > Build It, Break It, Fix It SS2018

Build It, Break It, Fix It SS2018


This course aims at teaching basic principles of secure software development in a very practical fashion. It is based on the "Break It, Build It, Fix It" security contest by Ruef et al. [1].

The contest is separated into three phases that test the applicant's skills in the fields of building, breaking and fixing software products.

In the "Build It" phase, students will be asked to gather in teams and develop small software projects based on a formal specification, also including security requirements. In the "Break It" phase, the developed software will be exchanged between development teams to break the implementation, i.e., find and exploit security vulnerabilities in code of other teams. Afterward, in the "Fix It" phase, teams will get the chance to fix found vulnerabilities and, hence, render their software product more secure.

The course will contain a theoretical part in which basic strategies of secure software development and vulnerability discovery are presented. Furthermore, specific vulnerability classes and examples of their exploitation will be presented as stimulus at the beginning of the "Break It" phase. Nevertheless, the course is generally of a very practical nature and since securing a software product, as well as breaking it, demands a wide variety of skills and creativity, a quite high amount of motivation and self-organization is required.


For attending the course, you need to have solved a small challenge

The deadline for the challenge is over and the evaluation has taken place. All students who successfully solved the challenge should have received an email, confirming that they qualified for taking the course. If you did not solve the challenge, you cannot take part in the course!



Course number and language

Course Number: L.079.05813

The teaching language will be English. Questions in German will be permitted.

Time and place

There will be a mandatory kickoff session for each phase of the lecture. Additionally, three question and answer sessions are provided which can be visited on a voluntary basis.


  • 23.7.2018 2 PM s.t. - 6 PM Kickoff „Build It"
  • 27.7.2018 4 PM s.t. - 6 PM Q&A session 1 (voluntary)
  • 30.7.2018 2 PM s.t. - 6 PM Kickoff „Break It"
  • 03.8.2018 4 PM s.t. - 6 PM Q&A session 2 (voluntary)
  • 10.8.2018 4 PM s.t. - 6 PM Q&A session 3 (voluntary)
  • 13.8.2018 2 PM s.t. - 6 PM Break presentations + Kickoff „Fix It"


F 1 110


Students will have to hand in a report of their work at the end of the course. 

The grading for the course will be based on the presentations during the course, the final report and the performance during every phase of the contest. While you shall work as a team, we are going to grade your individual contributions. Details will be announced in the lecture.


  • Bachelor's Degree in Computer Science (or similar).
  • A mature understanding of the Java programming language and software security requirements.
  • Secure software development practices and experience in the field of software exploitation and vulnerability discovery will be helpful. Also, having attended the "Secure Software Engineering" lecture is benefitial for this course.

Learning outcomes

After having attended this course, students will have…

  • gained knowledge and experience in the field of secure software development
  • gained knowledge and experience in the filed of software exploitation as well as vulnerability discovery
  • learned common real world software vulnerabilities and ways of exploiting them

Recommended reading material

  1. Andrew Ruef, Michael Hicks, James Parker, Dave Levin, Michelle L. Mazurek, and Piotr Mardziel. 2016. Build It, Break It, Fix It: Contesting Secure Development. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS '16). ACM, New York, NY, USA, 690-703. DOI: