Build-it, Break-it, Fix-it (BIBIFI) is a programming contest which aims to assess the ability to securely build software, not just break it. During the Build-it round, contestants implement software according to a provided specification with security goals. The software is scored for being correct, efficient, and featureful. The second round asks teams to find defects in other teams’ build-it submissions (Break-it) and patch the bugs and vulnerabilities found in their code (Fix-it). In addition to being an excellent learning opportunity for participants, the BIBIFI contest produces data that provides insights into secure development practices and software quality.

BIBIFI has been used in classes at the University of Maryland, Universität Paderborn, University of Pennsylvania, Texas A&M University, and Carnegie Mellon University. The infrastructure code to run the contest is open source. If you are interested in running the contest, please reach out to us!

Publications related to this project:

• Build It, Break It, Fix It: Contesting Secure Development, TOPS 2020. James Parker, Michael Hicks, Andrew Ruef, Michelle L. Mazurek, Dave Levin, Daniel Votipka, Piotr Mardziel, and Kelsey R. Fulton.
• Understanding security mistakes developers make: Qualitative analysis from Build It, Break It, Fix It, USENIX 2020. Daniel Votipka, Kelsey R. Fulton, James Parker,Matthew Hou, Michelle L. Mazurek, and Michael Hicks. Named a Distinguished Paper of the conference.
• Build It, Break It, Fix It: Contesting Secure Development, CCS 2016. Andrew Ruef, Michael Hicks, James Parker, Dave Levin, Michelle Mazurek, Piotr Mardziel.
• Build It Break It: Measuring and Comparing Development Security, CSET 2015. Andrew Ruef, Michael Hicks, James Parker, Dave Levin, Atif Memon, Jandelyn Plane, Piotr Mardziel.