Typical security contests focus on breaking or mitigating the impact of buggy systems. We present the Build-it, Break-it, Fix-it (BIBIFI) contest, which aims to assess the ability to securely build software, not just break it. In BIBIFI, teams build specified software with the goal of maximizing correctness, performance, and security. The latter is tested when teams attempt to break other teams’ submissions. Winners are chosen from among the best builders and the best breakers. BIBIFI was designed to be open-ended—teams can use any language, tool, process, and so on, that they like. As such, contest outcomes shed light on factors that correlate with successfully building secure software and breaking insecure software. We ran three contests involving a total of 156 teams and three different programming problems. Quantitative analysis from these contests found that the most efficient build-it submissions used C/C++, but submissions coded in a statically type safe language were 11× less likely to have a security flaw than C/C++ submissions. Break-it teams that were also successful build-it teams were significantly better at finding security bugs.

中文翻译：

---

建造、破坏、修复

典型的安全竞赛侧重于打破或减轻有缺陷的系统的影响。我们展示了 Build-it, Break-it, Fix-it (BIBIFI) 竞赛，旨在评估安全构建软件的能力，而不仅仅是破坏它。在 BIBIFI 中，团队构建特定软件的目标是最大限度地提高正确性、性能和安全性。后者在团队试图破坏其他团队的提交时进行测试。获胜者是从最好的建设者和最好的破坏者中选出的。BIBIFI 被设计为开放式的——团队可以使用他们喜欢的任何语言、工具、流程等。因此，竞赛结果揭示了与成功构建安全软件和破解不安全软件相关的因素。我们举办了三场比赛，共有 156 支队伍参加，涉及三个不同的编程问题。对这些竞赛的定量分析发现，最有效的 build-it 提交使用 C/C++，但使用静态类型安全语言编码的提交比 C/C++ 提交的安全漏洞少 11 倍。也是成功的构建团队的 Break-it 团队在发现安全漏洞方面明显更好。