This approach helps defenders step in the shoes of attackers and improve their defensive skills, and hopefully makes them think about what can be done about securing those very systems they were tasked to breach.
But what about pushing them towards constructing secure software in the first place? Well, now there is a contest that does exactly that.
It's called Build-it, Break-it, Fix-it, it's run by the University of Maryland (UMD), and is set to start on August 28.
The contest consists of three rounds, to be held on three weekends in a row:
The idea is to complete the circle, and reward those who build secure software in the first place.
The contest is open to graduate or undergraduate students of US-based universities, and no travelling is needed: the contest takes place online.
"Contestants form teams that perform in one of two roles (or both): build-it teams aim to build, over a weekend, a software system that is secure, while also aiming for featurefulness and efficiency; break-it teams aim to find bugs and vulnerabilities in build-it teams’ software," it is explained. "Cash prizes of $5,000 are awarded to the winning teams in each category (build-it and break-it), and $2,500 to the runners-up."
"The build-it, break-it, fix-it contest was conceived as a way to acquire useful scientific evidence, while at the same time engaging the student population and the wider community in a mentality of building security in rather than adding it after the fact," Dr. Michael Hicks, a professor in the Computer Science Department at the UMD, College Park, pointed out when initially announcing the contest earlier this year.
Dan Guido, co-founder and CEO of Trail of Bits, one of the firms sponsoring the contest, has pointed out that the competition could also gauge the security of the various programming languages the competitors will use to build their software.
"If their language is 'more secure' than others, it should come out on top in the contest and more implementations built with it will remain standing," he noted.
Registration for the competition is still open, and you can read up on contest rules and details here and here.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.