Why programming skills are essential for penetration testers

Originally Posted at Why programming skills are essential for penetration testers by Shashank Barthwal @shashank.CloudSEK and Janet Jose @janet.jose


Some security professionals across the world would say that one does not need to learn coding to hunt for bugs in web applications. In fact, some experienced security professionals would go even further to suggest that entry-level positions in cybersecurity and hacking does not require extensive knowledge of programming.

Although this holds true to some extent, a career in hacking and pen-testing web applications demands in-depth knowledge in programming.

Where do many researchers go wrong?

In case of Cross-Site Scripting (XSS) attacks, for instance, researchers report the bugs by triggering an alert. This clearly does not call for advanced understanding of programming.

But they may lack the skills to exploit the same bug to create a javascript code so as to steal cookies or leverage the XSS bug to carry out other malicious activities.

Inspired by such bounty hunters, beginners in the field assume that all they have to do is fire up Burp Intruder, add a list of payloads, and prompt an alert on the browser to earn a quick buck.

Why do you need to learn programming in security testing?

Understanding the application:

Awareness and proficiency in programming can help a researcher understand an application’s infrastructure and the implementation of its many functionalities. Once you are familiar with the workings and technicalities of web applications, even entry-level programmers can certainly outsmart amateur coding enthusiasts.

Attack automation:

Hackers use tools such as Nmap, Metasploit, Amass, etc. to automate enumeration and exploitation processes. Automation of enumeration attacks saves them a lot of time and effort. By learning how to code, you are also opening yourself up to vast knowledge, which can guide a beginner to build such tools on their own. Apart from that, while pen-testing, a programmer at some point will have to write a code that can exploit a vulnerability; for instance, when you have to pass the current timestamp along with a request, you need to automate it using coding. This requires that you are well versed with programming.

Conclusion

Programming is said to be the future of innovations, and a necessary skill to master. Therefore, a security professional should undergo training and have adequate knowledge regarding programming. Anyone pursuing a career in penetration testing should consider programming as an essential part of their occupation. It does not merely set you apart from peers, but also gives you a competitive advantage over them.

Happy Automation!
[/quote][quote=“CloudSEK, post:1, topic:55, full:true”]
Some security professionals across the world would say that one does not need to learn coding to hunt for bugs in web applications. In fact, some experienced security professionals would go even further to suggest that entry-level positions in cybersecurity and hacking does not require extensive knowledge of programming.

Although this holds true to some extent, a career in hacking and pen-testing web applications demands in-depth knowledge in programming.

Where do many researchers go wrong?

In case of Cross-Site Scripting (XSS) attacks, for instance, researchers report the bugs by triggering an alert. This clearly does not call for advanced understanding of programming.

But they may lack the skills to exploit the same bug to create a javascript code so as to steal cookies or leverage the XSS bug to carry out other malicious activities.

Inspired by such bounty hunters, beginners in the field assume that all they have to do is fire up Burp Intruder, add a list of payloads, and prompt an alert on the browser to earn a quick buck.

Why do you need to learn programming in security testing?

Understanding the application:

Awareness and proficiency in programming can help a researcher understand an application’s infrastructure and the implementation of its many functionalities. Once you are familiar with the workings and technicalities of web applications, even entry-level programmers can certainly outsmart amateur coding enthusiasts.

Attack automation:

Hackers use tools such as Nmap, Metasploit, Amass, etc. to automate enumeration and exploitation processes. Automation of enumeration attacks saves them a lot of time and effort. By learning how to code, you are also opening yourself up to vast knowledge, which can guide a beginner to build such tools on their own. Apart from that, while pen-testing, a programmer at some point will have to write a code that can exploit a vulnerability; for instance, when you have to pass the current timestamp along with a request, you need to automate it using coding. This requires that you are well versed with programming.

Conclusion

Programming is said to be the future of innovations, and a necessary skill to master. Therefore, a security professional should undergo training and have adequate knowledge regarding programming. Anyone pursuing a career in penetration testing should consider programming as an essential part of their occupation. It does not merely set you apart from peers, but also gives you a competitive advantage over them.

Happy Automation!

Some security professionals across the world would say that one does not need to learn coding to hunt for bugs in web applications. In fact, some experienced security professionals would go even further to suggest that entry-level positions in cybersecurity and hacking does not require extensive knowledge of programming.

Although this holds true to some extent, a career in hacking and pen-testing web applications demands in-depth knowledge in programming.

Where do many researchers go wrong?

In case of Cross-Site Scripting (XSS) attacks, for instance, researchers report the bugs by triggering an alert. This clearly does not call for advanced understanding of programming.

But they may lack the skills to exploit the same bug to create a javascript code so as to steal cookies or leverage the XSS bug to carry out other malicious activities.

Inspired by such bounty hunters, beginners in the field assume that all they have to do is fire up Burp Intruder, add a list of payloads, and prompt an alert on the browser to earn a quick buck.

Why do you need to learn programming in security testing?

Understanding the application:

Awareness and proficiency in programming can help a researcher understand an application’s infrastructure and the implementation of its many functionalities. Once you are familiar with the workings and technicalities of web applications, even entry-level programmers can certainly outsmart amateur coding enthusiasts.

Attack automation:

Hackers use tools such as Nmap, Metasploit, Amass, etc. to automate enumeration and exploitation processes. Automation of enumeration attacks saves them a lot of time and effort. By learning how to code, you are also opening yourself up to vast knowledge, which can guide a beginner to build such tools on their own. Apart from that, while pen-testing, a programmer at some point will have to write a code that can exploit a vulnerability; for instance, when you have to pass the current timestamp along with a request, you need to automate it using coding. This requires that you are well versed with programming.

Conclusion

Programming is said to be the future of innovations, and a necessary skill to master. Therefore, a security professional should undergo training and have adequate knowledge regarding programming. Anyone pursuing a career in penetration testing should consider programming as an essential part of their occupation. It does not merely set you apart from peers, but also gives you a competitive advantage over them.

Happy Automation!

12 Likes

This article is trending :chart_with_upwards_trend: on Google News. :shield:

2 Likes

Which is an important language used in pen-testing? I got one javascript.

1 Like

nice one… Programming is one of the pillar of cybersecurity

Along with JS, I would add definitely add Python to it. A lot of tools available in Python, easy to learn and very useful to quickly write a dirty script to automate parts of your work flow

5 Likes

As @mayanksatnalika suggested, python is the easiest among other languages that can be utilized for attack and enumeration automation in cyber security. One should add python in their skillset in security.

I don’t know any libraries of python and I have done CCNA security+ and CompTIA Security but I have done everything theory part I don’t get a chance of practical knowledge. I have done on LinkedIn Learning Portal. How can I learn more about python libraries and hands-on practical. lab? I have done automation in selenium using python is it help me anyway in cybersecurity. Python is now everwhere, Thank you, sir!

You don’t need to necessarily dive deep into modules as there is nothing like “module for hacking”. The modules that are utilized in python for security stuff are the ones which you use for general purpose.
For an example, you might be aware about request module in python which is used for sending HTTP GET and POST requests. That general purpose modules can be used for bruteforcing password on a web application, sending malicious POST data in requests.

Another example is socket module. It’s used for creating socket connection from one socket to another. But it is heavily used in buffer overflow attacks and sending malicious packets.

You will learn about such awesome stuff in python by doing CTFs and creating projects.

3 Likes

@gurugd19 you should not learn a language in this way, libraries are just bunch of codes which are already written so that you can use it whenever you need or depends on your requirements(simple google search will help at that time).
Learn a language to an extent while practicing it by doing simple challenges on sites like Hackerrank or creating scripts while doing CTFs on TryHackme, Hackthebox, etc… Doing these will help you in CyberSecurity :slight_smile:

3 Likes

Than You so much @shashank.CloudSEK and @nagarajcruze.

2 Likes