RE: Programming skills for Pen Testers

From: Boogiebruva (boogiebruva@yahoo.co.uk)
Date: Sat Feb 18 2006 - 17:57:42 EST


One of the hardest things about pen-testing, VAs, etc, IMO, is that many of
us work alone, or freelance if you will. And security covers such a large
field that we have to, supposedly, know everything about networks and OSes
and every programming language and webapp, etc etc etc. It really seems more
than one person can take, at times, just to keep up to date on the latest
developments in every field that 'security' covers. Nevertheless, I've found
that by learning languages such as shell scripting, perl, and javascript
(I'm still working away at C, with plans to move on to C++ and JAVA once I
can get my head around OOP!), I can understand more about buffer overflows,
assembly, etc.
At times I feel like I'm not up to the job - in other words, that I don't
know as much as I feel I could. But I learn more every day, I know what I
can and can't do, and, given the general state of 'info security', have
never really found it hard to, at least, harden a company's network.
Don't forget that the majority of 'attacks' come from people who know next
to nothing about computers or computing. Keeping them at bay doesn't involve
knowledge of 15 programming languages. And keeping the serious guys at bay
is not a one-man job, anyway.
In other words, learning at least C and perl can only benefit you.

-----Original Message-----
From: 7978488 [mailto:javier.augusto@gmx.net]
Sent: domingo, 12 de febrero de 2006 21:49
To: pen-test@securityfocus.com
Subject: RES: Programming skills for Pen Testers

+1 !!!

Totally agree with you. You got to know how to code or at least how to read
code.

Of course, we're talking about serious pen-testing, aren't we?

>>I think having some basic programming skills are a must when doing
pen-testing and other security work (e.g. looking at virus code, finding
systems changes, etc.). Over the years I have learned how to debug
code, decompile code, and even writing my own tools, because some of the
open source did not meet my requirements. I subscribe to developer
magazine and forums to learn. I even pay to have private one-on-one
classes with some of my commercial security tools developer friends to
learn more.

>In this fast pace security environment in pays to keep ahead of the
Jones................................ (and yes I have a life outside of
work ;)

WORD UP YO!

Regards,
Jay

----------------------------------------------------------------------------

--
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for
vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers
do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
----------------------------------------------------------------------------
---
__________ NOD32 1.1408 (20060214) Information __________
This message was checked by NOD32 antivirus system.
http://www.eset.com
		
___________________________________________________________ 
Yahoo! Photos – NEW, now offering a quality print service from just 8p a photo http://uk.photos.yahoo.com
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:32 EDT