Software Security Hackathon EN

The threat posed by security vulnerabilities in software products is a growing danger to the success of companies of all sizes and in all industries. This makes it all the more important for software developers to have the necessary skills to secure their products and thus contribute to strengthening cyber resilience.

In our innovative hackathon ‘Break it, Fix it, Review it’, you will be challenged to demonstrate your software security skills in a team competition. In a practical setting, you will learn how to identify, evaluate and fix security vulnerabilities. You will also take on the role of reviewer and practise evaluating the work of your colleagues, before discussing it with them and developing secure solutions together.

This training is aimed at developers who already have basic knowledge of software security. Among other things, it provides an ideal transition between the Certified Security Champion Training and the everyday work of future security champions. It is also a suitable follow-up to our 2-day Software Security Training for Developers.

Agenda and content of the software security hackathon

The hackathon is a team-based competition: at least two teams consisting of 3-5 people compete against each other and demonstrate their software security skills. Using an insecure application provided by us, three phases are completed (see figure).

To win the hackathon, a team must have accumulated more points than the other teams at the end. In the first two phases, teams can earn points by finding, evaluating and fixing vulnerabilities. In the final phase, the ‘Review it’, these points can be ‘stolen’ by an opposing team if it can prove that the points were earned unfairly, e.g. because a vulnerability was incorrectly assessed or a fix was carried out incorrectly.

During the hackathon, the teams are accompanied by our experienced trainers, who are available at all times to answer questions and provide tips. This ensures that no one gets bored and that the teams make continuous progress. At the beginning and end of each day, the teams meet individually with the trainers to discuss the results achieved and coordinate the next steps. At the end of the hackathon, the points scored by each team are calculated and announced at an award ceremony.

Overview

The hackathon can be held as an in-house event in the following variations:

Following the Certified Security Champion Training or as a team-building measure for a product team. We can hold the hackathon remotely, at your company or at Fraunhofer IEM.
Participation as an individual in an open event: Once the minimum number of teams has been reached, an open hackathon will take place.

Duration: 4 Days
Language: German or English
Course size: 6 - 20 People
We currently offer two Java-based apps to choose from. Additional apps for other technologies are currently in development.
Price: On request

Contact us

Conditions of participation

This training course is aimed at software developers who want to deepen their knowledge of secure software development. Basic Java skills are required.

Prior knowledge of finding, prioritising and fixing vulnerabilities should be available. If this is not the case, we recommendit is recommended to take advantage of the following offers in advance:

Please contact us for an individual offer!

Our insecure apps

There are currently two applications available for the hackathon. Both have the following features:

Web app with Java Spring in the backend
Fully functional, but highly insecure
Contain more than 50 different exploitable vulnerabilities
Vulnerabilities can be found manually and with tools
Closed source: The vulnerabilities are not publicly known, making the hackathon a truly realistic challenge, as there is no public model solution!

Please contact us if you have any individual requests regarding the domain and the technology used. We will find a customised solution!

Your benefits

By participating in the Security Hackathon, you as a software developer can test and improve your software security skills. The applications used are challenging and offer a variety of vulnerabilities – some are easy to find, others are well hidden. The competitive nature of the event and the teamwork involved also make it a lot of fun.

Your advantages at a glance:

You will practise finding, evaluating and prioritising vulnerabilities, including the use of security tools.
You will learn how to strengthen cyber resilience in your products and thus be prepared for future cyber threats.
Experienced trainers will support you with tips and answers to your questions.
In a traditional training course, you only have to find one vulnerability within an A4 page of code in the exercises – with us, you get a realistically large application.
You practise reviewing your colleagues' work and discussing it with them.
Your enthusiasm for mastering a cybersecurity challenge will carry over into your everyday work, motivating you to regularly fix vulnerabilities.
Cohesion and trust within the development team will grow, turning the further development of security expertise into a team-building exercise!

Your trainers

Sebastian Leuer

Sebastian Leuer is a research associate in the "Secure Services and Apps" department at Fraunhofer IEM. His expertise includes static code analysis and secure development in C# and .NET. He is a Certified Scientific Trainer (Foundational Level).

LinkedIn profile

Dr. Thorsten Koch

Thorsten Koch is a research associate in the "Secure IoT Systems" department at Fraunhofer IEM. He is a Certified Scientific Trainer (Foundational Level) and ISA/IEC 62443 Cybersecurity Fundamentals Specialist.

LinkedIn profile

Academy Trainer Thorsten Koch — © Fraunhofer IEM

Software Security Hackathon

Agenda and content of the software security hackathon

Overview

Conditions of participation

Our insecure apps

The provided BiFiRi application

Your benefits

Your trainers

Sebastian Leuer

Dr. Thorsten Koch

Related Links:

Contact Press / Media

Oliver Lummer