Learning to Code For Infosec

A commonly-repeated mantra for current and future practitioners at InfoSec conference talks, blog posts, and Twitter threads is that one must learn to code. Websites, tools, and proof of concept exploits. Those who can’t are severely limited career-wise because they remain dependent on those who can.

Great advice. However, its givers typically overlook a key question that receivers — especially beginners with less knowledge of or are undecided between different InfoSec domains — usually have:

What type(s) of coding should I learn to be able to produce strong results while being flexible to pivot across different InfoSec domains?

I will address this question by delineating a learning pathway.

Python

Python should be the first step for beginners. Its minimal syntax and automatic memory management allows beginners to focus on mastering basic concepts without significant distractions.

Its ease of scripting combined with powerful standard and third-party libraries makes it well-suited for performing a broad variety of tasks. Hence, it is the language of choice for making automation and analysis tools for every concievable InfoSec need, ranging from digital forensics and penetration testing to applied data science and open-source intelligence. Even if one doesn’t write the tools they use, examining their workings may sometimes be necessary. Its explosion in popularity among developers means that application security practitioner and bug hunters need to be able to audit ever-expanding Python codebases. Finally, knowing how to work with Python makes for an easy transition to Bash, Powershell, and other scripting languages that system administrators use when working in the blue team.

When starting, use it to learn programming basics. What arrays, linked lists, queues, stacks, and heaps are. How class inheritance works. A solid grounding in the programming fundamentals will prepare you well for working with its InfoSec applications. One can’t run before learning how to walk.

C++

C++ was released in 1985 as an object-oriented extension of C and has become widely used since. Its backwards compatability with C means that one learns two languages for the price of one!

C and C++ are

1. Memory unsafe: programmers can directly access and manipulate computer memory.
2. Everywhere: operating systems, applications, embedded systems, device drivers, browsers, databases, you name it.

This means that hackers can use their memory-accessing capabilities to attack a broad variety of targets. And while memory-safe alternatives like Rust are gaining prominence, rewriting million-line codebases is an expensive and time-consuming task few companies want to do. A perfect storm.

This has its effects. Reverse engineers need to deduce how an exploit was written. Application security teams need to develop and evangelize company-wide standards for secure coding practices. Penetration testers, bug hunters, and exploit developers need to understand how systems can be attacked. Knowing C/C++ and their memory-manipulation capabilities is essential.

An additional benefit of C++ is that it doesn’t conceal functionalities from the programmer, unlike other languages. It is like driving a car in manual. Java or C# are like driving with automatic transmission. Learning it helps one to understand what is happening on underneath the proverbial hood and makes transitioning to other languages easy.

Assembly

All programs get converted by a compiler into it. This is as close as human-readable programs get to computers’ natural language; processor hardware directly maps it into binary for execution.

Because compiling code from a higher-level language to assembly is an irreversible process, forensics and malware analysts read binaries dissembled into Assembly. Exploit devlopers, penetration testers, and security researchers also use it to uncover vulnerabilities and to craft and modify payloads attacking them.

Web Design

The world is increasingly moving to conduct personal and business activities over the Internet and the skyrocketing number of IoT devices usually have web interfaces for configuration or interaction. They are increasingly-serious attack vectors capable of compromising devices and organizations. The need for pentesting them and securely designing them has never been greater.

To secure them, one must first know how they work. First learn the frontend. How elements get listed, formatted, and are made interactive. Backends are built with specific database and API tools and frameworks that can be learned after developing a basic skillset. Learn the basics and you’ll be on your merry way.

This path should fulfill the goals of helping learners master programming concepts in a friendly fashion while equipping them with the skills they need for pivoting easily into any InfoSec or tech domain of their choosing.

This was originally published on Nathan Pavlovsky’s personal blog at secnate.github.io