Re: Programming skills for Pen Testers

From: intel96 (intel96@bellsouth.net)
Date: Sun Feb 12 2006 - 13:08:26 EST


I think having some basic programming skills are a must when doing
pen-testing and other security work (e.g. looking at virus code, finding
systems changes, etc.). Over the years I have learned how to debug
code, decompile code, and even writing my own tools, because some of the
open source did not meet my requirements. I subscribe to developer
magazine and forums to learn. I even pay to have private one-on-one
classes with some of my commercial security tools developer friends to
learn more.

In this fast pace security environment in pays to keep ahead of the
Jones................................ (and yes I have a life outside of
work ;)

FocusHacks wrote:

I honestly don't think that programming in C is any sort of a
> prerequisite for a penetration tester. It's perhaps a pre-requisite
> for a security researcher.
>
> There was a discussion not long ago where we talked about how many
> pen-testers actually sit down, wade through other peoples' code look
> for exploitable code, and write PoC code. Not many pen-testers do
> this. First off, if a person has those sort of skills, they can
> probably make more money in development QA than they can as a
> pen-tester, and next off, that sort of task takes a LOT of time, and
> they wouldn't have enough time in a week to get any pen-tests in, if
> they were sitting in front of a computer all day long grokking code.
>
> C++ is object oriented C. If you learn C++, you'll learn C, and if
> you learn C, learning C++ isn't hard, but learning how to think
> object-oriented causes some people problems.
>
> Most normal UNIX stuff is just written in plain old vanilla C, though.
>
> On 2/9/06, johnny Mnemonic <security4thefainthearted@hotmail.com> wrote:
>
>> ok we all know that in addition to good network, host and application
>> security skills, programming in C is a pre-requisite for a decent pen tester
>> or at least one who wants to write their own security tools or simply audit
>> the open source code they use. My question is, despite their similarities
>> should a pen tester be concentrating on C or C++ ? That's it!
>>
>> Thanks.
>>
>> _________________________________________________________________
>> Get MSN Hotmail alerts on your mobile.
>> http://mobile.msn.com/ac.aspx?cid=uuhp_hotmail
>>
>>
>> ------------------------------------------------------------------------------
>> Audit your website security with Acunetix Web Vulnerability Scanner:
>>
>> Hackers are concentrating their efforts on attacking applications on your
>> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
>> login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
>> futile against web application hacking. Check your website for vulnerabilities
>> to SQL injection, Cross site scripting and other web attacks before hackers do!
>> Download Trial at:
>>
>> http://www.securityfocus.com/sponsor/pen-test_050831
>> -------------------------------------------------------------------------------
>>
>>
>>
>
>
> --
> http://www.FocusHacks.com - The Ford Focus Modification Site!
>
> ------------------------------------------------------------------------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
> futile against web application hacking. Check your website for vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------------------
>
>
>

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:30 EDT