It Was Built, Broken, and Fixed: Secure Programming Competitions for Research and Education

Software fails us every day and we want it to stop. We decided to investigate the failures of software by investigating the creation of software through coding competitions with a security focus - contestants create software to a specification, but then they assess the security of other contestants implementations. We’ve run this contest multiple times and have a few hundred implementation artifacts with bugs and data. In this talk I’ll describe the experimental setup, the architecture, and the game theory that makes it work, as well as our experiences and preliminary data analysis and thoughts.

Andrew Ruef is a PhD student in Computer Science at the University of Maryland, in the PLUM lab. He is advised by Dr. Michael Hicks. He also works for Trail of Bits as a systems engineer and software developer. Andrew has worked professionally in computer security and technology for many years. He is interested in software and application security, programming languages, bug identification, compiler technology, and systems security.