Programming languages and Cybersecurity
Codes are fundamental blocks of logic which drives businesses all around the world today.
Now, there are several questions revolving around the programming languages in our cybersecurity domain, this blog post will help you identify and make an informed and conscious decision about the same. It’s an attempt to shed light on the existing scenario of debates happening, and perhaps, there are certain phases in one’s life where you question if learning programming language is necessary to excel in your career.
To address these diverse issues, I will lay down some points, but not my opinion, to streamline the order of discussion.
- Learning programming language/s does no harm, its in fact great to have background which enables you to code and understand the logic of applications, APIs, …
- Cybersecurity domain is huge, it has technical job roles, but also nontechnical like- IT Governance, Risk and Compliance, Management positions, responsibilities concerning laws of the states and so on…
- Yes it is possible to do just fine without learning how to code a single line of program, in cybersecurity.
- Toxicity arises when one intends that — It is necessary or compulsory to know how to code in this industry. This perspective is narrow minded and completely disregards the importance of nontechnical / management side of cybersecurity. So being inclusive is needed here, we can’t afford to be ignorant about the other important aspects of our industry.
- Perhaps, one of the most important point is- You need not to be a developer to carry out your cyber operations(ops), whether you’re in offensive, or defensive side. This is not how one should approach to learn programming languages in cybersecurity. More on this later.
Now I’ll orient this discussion in the order of these following points-
- Why to learn programming language/s in cybersecurity?
- Which language/s should I proceed with? (This point assumes that somehow you’ve understood the essence of programming language and now you’re motivated to learn one!)
- How should I learn the programming language/s of my choice?
- How to measure my progress and stay motivated?
- How to excel in my career in cybersecurity?
Why to learn programming language/s in cybersecurity?
Well, you might have come across the need to automate some repetitive tasks, or the idea of customizing tools according to your needs, or some unique idea which you wish to implement and there hasn’t been anything like that before. Or, suppose if you’re in red team operation and there’s this circumstantial need to work with the vulnerable code written in C language, so you’ve to be careful how you make it do things which it is not supposed to do, and also stealthily. All of these needs and ideas require you to structure your logic in certain way which would do the intended task.
Programming languages enable us to structure our human logic, so that we can automate tasks, implement new ideas, customize existing code base, tools, and make things work our way. This aspect assumes one is doing something technical in cybersecurity, irrespective of actually being in technical or nontechnical job roles. The level of depths in which one is interacting with the given technology in hand, will also dictate the needs to learn either technology specific language or any given language which could get the job done.
Which programming language/s should I proceed with?
To begin with- If you’re on *nix system, I will suggest one learning native scripting language first, say bash / zsh scripting to automate most of the system related things. There are different flavors available (cat /etc/shells). To check your current shell in use- (echo $SHELL). If you’re on windows, one can proceed with batch scripting or learning PowerShell scripting, I’ll prefer powershell, since its cross platform (7.0 onwards).
Let’s talk about technologies before we start with the choice of languages. I consider programming languages (all of them) as 1 single technology, then databases as a separate technology, virtualization as another technology and cloud and then blockchains and so on, each one of these are separate technology, perhaps definition and categorization may vary.
The point I want to make here is, that the stack of technology which we are working with, may define the need of learning certain programming language/s. Nonetheless, every GPL (General Purpose Language) can address most of our needs, ideas, and problems we are dealing with. But with this, every programming language is unique in its own ways, they all have some pros and cons.
Go is fast/er, Rust has more in built security ( Rust in a nutshell : https://youtu.be/kQcIV5389Ps ), C/C++ resides more closer to the memory, Python is a great addition to your toolkit and is used everywhere today, it also have plenty of resources in offensive and defensive security. Python is simple while Ruby is natural. By no means I am intending to do Python vs Ruby or any other language, but it’s just my suggestion that one can possibly begin with Ruby. Metasploit-framework is all coded in Ruby. If you wish to learn internals of msfconsole, and play with their APIs, customize the way stagers and handlers work, getting better at defense evasion using metasploit then that’s the way.
Tools like Scapy ( https://github.com/secdev/scapy ) and Sqlmap ( https://github.com/sqlmapproject/sqlmap ) are purely written in python. Burp Suite uses Java heavily.
For web application penetration testing, I will suggest one getting familiar with HTML, CSS, JavaScript, and learn PHP, some server side languages like Node.js, Django… and other similar frameworks. If you wish to craft advanced SQL Injection payloads, then you should learn SQL .
Few tweaks and we’re good to learn database specific utilities too also for running system commands using SQL (assuming you compromised a service account).
For red-teaming / penetration testing, Python, Ruby, Go, Rust, and so on, At this point I would like to say- The choice of general purpose programming language really doesn’t matter, until you get good at one of them to carry out your works. Learn how to program, like I said before, everyone of those out there has more or less the same stuff. Go after patterns, the common architecture rather than memorizing syntax, and you’ll see magically you’ll be able to handle multiple languages, then syntax becomes secondary.
If you wish to get deeper in and closer to the memory, then learn Assembly language (IA-32 & IA-64 bit Intel assembly) and C language, this will expand your horizons in these domains in cybersecurity- Malware development and analysis, exploit development, reverse engineering. These domains assume that one has background in the languages mentioned above.
If you are working to automate stuffs in clouds, or active directory security in general, you might consider learning powershell, it’ll be of great help.
A true red-team engagement requires one to be as stealthy as possible. Doesn’t matter whatever adversarial activity we carry out in target’s environment, it has to be done in stealthy manner, cloaking our activities. Say establishing persistence, privilege escalation, data exfiltration, post-exploitation enumeration activities, lateral movement and so on… (Remember- In penetration tests, one is against the defense mechanisms in place, whereas in red-teaming, one is against the defense mechanism and defenders, to emulate / simulate the real world threats)
So for defense evasion in red team engagements, one can learn C#, much work has been done in that direction, you can use any language of choice, since C# derives its power sitting on top of .NET just like powershell and F# . For removing .NET confusion, please watch this video- https://youtu.be/4olO9UjRiww and for getting in-depths of the choice above, watch .NET Core for Malware talk by Ryan Cobb in SO-CON 2020 https://youtu.be/woRfx5D2Y9Y
If you wish that I make a comprehensive blog post detailing about various domains within cybersecurity and how should one approach them, then comment below, or reach me out on twitter https://twitter.com/KillSwitchX7 , I love to hear feedback.
How should I learn the programming language/s of my choice?
Get basics cleared from either YouTube vids, blogs, or official documentations alone, bootcamps, workshops, courses on TCM academy (python), udemy, pluralsight… whichever works for you, get it done. Aid your learning experience with joining Discord communities geared towards cybersecurity- https://medium.com/@KillSwitchX7/cyber-security-discord-servers-7d9c0b7cd7cb .
There are n number of resources out there to help you out, even after that if you don’t find Convenience then ping me on twitter, I’ll guide you.
Cyber Security side- Black Hat Ruby, Python, Rust, Go. Gray Hat C# and Cybersecurity Ops with Bash
Above were mere books, there are plentiful of video courses, conferences, workshops, and even bootcamps on offensive and defensive tradecraft in cybersecurity.
How to measure my progress and stay motivated?
Set goals for achieving some tasks or implement ideas : don’t go aimless. Make sure dopamine kicks in!
[+] Practical aspect -> Wanna customize existing open source tools? or contribute to it? Appreciation will make around the way, our cybersecurity community is closely knitted.
Share your code, it truly helps. Peer reviews, how you could do better at implementation. Show up with your stuff, see how like minded people start helping you.
[+] Practical aspect -> Learn from the best of the talent pool available, people are so talented, I can’t press upon. Cherish this opportunity. You’ll go from using complex structure of if-else-elsif to using classes, methods, functions, and progressing to metaprogramming / function programming or more advanced concepts, who knows!
Set realistic goals, don’t hardwire yourself for perfection. Be process oriented person, progress will come, and progress leads you to places!
[+] Nemesis of progress aah! “The perfectionist”, I tried over 14 times to learn python, couldn’t get any further, then I hopped to Ruby and my life has changed since then. I mean, pick up whichever works best for you. The choice of Python, then, was a perfect choice for me, plentiful of work has already been done, lots of resources and so on…
Fail, fail hard. It’s really you in the end of the day, I don’t know how hard you’re training behind the walls, so its okay to fail harder, and even if there are plentiful of people critiquing you, your skills and performance delivery, take them and improve upon them. Have faith you’ll get there.
[+] Learn to stay in discipline. Even if your inner/external motivation boils down to lethargic compulsion to perform out of your misery, discipline will keep you sane throughout the process. Learning how to code doesn’t come that easy, forget about those marketing strategies. You have my respect if you’re genuinely talented to pick up on things real quick, which I know many of you do!
How to excel in my career in cybersecurity?
This comes with the culmination of this whole blog post, learning how to program and getting effective + efficient is just not enough, there are several other factors which drive your career. Like, networking with peeps in cybersecurity community and industry. For sure the knowledge of programming language will propel you in certain directions, but reaching places is important too. I won’t sugarcoat anything here. Learning programming languages opens up new doors and possibilities in the way you probably haven’t imagined yet, but then, I am person who is down to Mars just like Elon Musk!
I await your precious comments down below here, constructive suggestions are much welcomed. Do suggest me topics for upcoming blogs?! any specific guidance or queries, I will try my best to address it. Much love to everyone, please stay safe and warm.
