Education Initiative Spotlight: Build it Break it

Dan Guido
education, sponsorships

Build it Break it is a first-of-its-kind security challenge run by UMD

We’re proud to be a sponsor of the first Build it Break it programming contest, run by the University of Maryland (UMD) and supported by one of our own employees and PhD student at the university, Andrew Ruef. Build it Break it is a “flipped CTF” where contestants both implement secure software and identify vulnerabilities in the creations of others. Points are awarded for the secure construction of software and for identifying security flaws.

The build-it, break-it, fix-it contest was conceived as a way to acquire useful scientific evidence, while at the same time engaging the student population and the wider community in a mentality of building security in rather than adding it after the fact. – Michael Hicks

At Trail of Bits, we think Build It Break it is a necessary addition to the suite of available competitions in the security community. There are a wealth of opportunities for students to learn to break software (many of which we support), however, there are relatively few that challenge them to build it right. In this unique contest, there is something for both builders and breakers since it rewards both activities.

It also presents an opportunity for language evangelists to demonstrate the merits of their approach – if their language is “more secure” than others, it should come out on top in the contest and more implementations built with it will remain standing. Contestants can use any programming language or framework to write their software, so by observing the contest, the community gathers empirical evidence about the security or insecurity of available tools.

Any undergraduate or graduate student at a US-based university is eligible to compete for cash prizes in Build it Break it. Though, be warned that Trail of Bits engineers will be on hand to assist as a “break it” team. For more information about the motivations behind this contest, see this blog post and slide deck from Michael Hicks.