Security Testing

Andreas Zeller + Valentin Huber + Alexander Liggesmeyer + Tural Mammadov
Registration for this course is open until Monday, 03.11.2025 11:00.

News

Currently, no news are available

Security Testing

The Course. Software has bugs, and catching bugs can involve lots of effort. This course addresses this problem by automating software testing, specifically by generating tests automatically. Recent years have seen the development of novel techniques that have led to dramatic improvements in test generation and software testing.  In this course, we explore these techniques – in theory and in code.

Course Material. The course material comes as a collection of Jupyter Notebooks, in which you can study how the individual techniques work – and even do your own experiments and create new combinations. Every week, you will be getting 1–2 new chapters (notebooks) on a new topic, which we will then discuss the next week in the classroom. All chapters are available at

https://www.fuzzingbook.org/

In the notebook, you can edit the code as you like, run your own experiments, and re-use and extend the code to your liking; but you can also download and use the Python code "as is". Your task will be to use these techniques (and their code) to build a series of fuzzers (i.e., test generators) that find bugs in several challenging settings.

Attending. The lectures for this course take place as an on-site lecture, in which our lecturer (Andreas) will introduce you to the chapters to be read in the upcoming week and answer questions. The book also offers video lectures for each chapter.

Weekly exercises. Every week, you will get an exercise sheet with exercises relating to the current chapter. Your solutions are due after one week and will be graded.

Projects. During the course, you will run two projects in which you will build your own automated fuzzing tools. You will implement projects in Python and use Jupyter Notebooks to document design choices and introduce your readers to the included code.

Exam. There will be an exam and a re-exam at the end of the course, taking place in March and April 2026.

Grading. Grading will be based on

  • points achieved in weekly exercises (25%)
  • points achieved in Project 1 (25%)
  • points achieved in Project 2 (25%)
  • points achieved in the Exam (25%)

To pass, you must achieve 50% of points in each category and 50% of the overall points.

The Prerequisites. We expect programming skills at the level of "Programming 2". Knowledge in Python, program analysis, and instrumentation can be acquired on the go. We use statistics, logic, and machine learning, but nothing too exotic.

Questions and Answers. We will set up discussion forums for questions and answers. You can also ask questions during the lecture and get immediate answers.

Date and Time. Every Tuesday, 14:15–16:00 in CISPA C0, Stuhlsatzenhaus 5, Lecture Hall 0.05. The lecture runs in person. The course starts on Tuesday, October 21. There will be no lectures in the two-week Christmas break; the last lecture is on February 3.

Lecture Plan. (Tentative and subject to change.)

The sequence of chapters is different from the book; to synchronize with the projects, we first discuss black-box techniques, then white-box techniques, and then domain-specific approaches.

2025-10-21: Introduction to the course • Introduction to Software Testing
2025-10-28: Introduction to Fuzzing
2025-11-04: Fuzzing with Grammars • Efficient Grammar Fuzzing
2025-11-11: Grammar Coverage • Reducing Failure-Inducing Inputs (*)
2025-11-18: Probabilistic Grammar Fuzzing (makes use of Parsing Inputs) • Fuzzing with Generators (*)
2025-11-25: Code Coverage
2025-12-02: Mining Input Grammars
2025-12-16: Fuzzing with Constraints and exercises in Mutation-Based Fuzzing • Greybox Fuzzing • Greybox Fuzzing With Grammars
2026-01-06: Fuzzing APIs • Fuzzing Configurations
2026-01-13: Testing Compilers 
2026-01-20: Testing Web Applications
2026-01-27: Testing Graphical User Interfaces
2026-02-03: Current Trends in Fuzzing Research

(*) Lecture conducted by Tural, Alexander, or Valentin; all others by Andreas

Every lecture discusses last week's topics and teases the new topics (and chapters) listed above, which you are to study in the following days. On 2025-11-04, for instance, we tease the chapters "Fuzzing with Grammars" and "Efficient Grammar Fuzzing." You are then to study them by the lecture the week after, in which we will discuss your thoughts and experiences. Lectures come with live coding, so we can explore ideas right on the go.

More questions? Come and meet us in the lecture hall!

Enjoy! – Andreas + Tural + Alexander + Valentin

Privacy Policy | Legal Notice
If you encounter technical problems, please contact the administrators.