Q1: Is the SWD Competition using PLUM Lab’s BIBIFI?

No. The SWD Competition runs on our code. See the credits page for the list of contributors. However, the competition is inspired by the PLUM Lab’s BIBIFI competition. Scoring rules are based on the BIBIFI’s.

Q2: Why did you write your own platform instead of reusing BIBIFI?

There are a couple of reasons.

First, we wanted a platform covering the three phases, like BIBIFI, but centered on discovering, reporting, and managing vulnerabilities, including preparing high-quality vulnerability reports. Also, we wanted to developer and support a positive, ethical, and responsible culture about vulnerability reporting. These features are not supported by the current BIBIFI.

Second, setting the BIBIFI up was not a straightforward task. Long story short, we tried and we failed. We asked around for help (including Eric Bodden’s group and PLUM’s staff), but that did not go that far. We finally gave up.

Third, the BIBIFI code is in Haskell, which reduces considerably our ability to extend, debug, and patch the code as we wanted.

In the end, we realized that it would have taken less time to just rebuild the whole thing, relying on a self-hosted GitLab instance, its fantastic API, and Jekyll for the front end(s).

Q3: Where can I find the source code of the SWD Competition?

We want to publish the code of the platform so others can use it, and we will. But first, we want to run one or two competitions with it to make sure everything works fine.

Q4: Is the SWD Competition only for SWD students?

For the moment, yes. The SWD Competition is part of the SWD lecture.

Q5: What is the difference between SWD and Foundations of Web Security?

Both are CS lectures at Saarland University. However:

  1. Foundations of Web Security covers the fundamental security problems prevalent on the Web and security mechanisms to mitigate them. A particular focus lies on the offensive side of web security, whereas defense mechanisms merely need to be added to stop the attacks.
  2. SWD focuses on architectural and engineering aspects of secure web applications, including secure coding, secure architectures, security testing, and code review techniques, and providing an extensive library of vulnerabilities.