Re: Programming skills for Pen Testers

From: Jeremy Saintot (jeremy@caramiel.com)
Date: Tue Feb 28 2006 - 05:18:50 EST


Hello,

Sure, programming does not inevitably take part of a pen-test. But don't
you think some coding skills could be useful to perform certain tasks ?
Not just talking about reading/patching/compiling an exploit or something
found on the Internet, but sometimes you can use scripting languages such
as Perl to automate some tests or other things...

I think programming skills are not fully required, but at least recommended
for a pen-tester. How can you understand buffer overflows if you don't know
about C and/or Assembly ? What about applicative web vulns if you don't
have
any PHP/SQL/XSS skill ?

As an answer, I would say that at least one compiled language (C) and one
scripting language (Perl) are recommended and can be useful for a pen-tester
if intelligently used.

Regards,

Jeremy

Craig Wright wrote:

>Hello
>First just to get this in C programming is a good skill. C++ is also not
>bad to have. This said, what the hell is this doing in a pen test
>discussion.
>
>/*
>** start rant
>*/
>
>How can anyone here honestly state that programming skills are needed
>for pen testing? An audit of source code is NOT a pen test. This does
>require coding skills - they are not the same thing and anyone who
>thinks they are is under a delusion.
>
>Are we talking "Vulnerability Research' or Pen. Tests? Do we all
>understand that they are NOT the same thing?
>
>If a business/organisation/etc is paying you for 20 hours of applied
>testing - I certainly hope that you are not going off on some ill
>conceived tangent and effectively taking their money without doing the
>service you have been commissioned for?
>
>Thomas is correct "Time is money - your customers money" - Do not forget
>this!
>
>Welcome to reality. There ARE time constraints. You are not paid to
>research every possible theoretical vulnerability or find a new buffer
>overflow in a Pen Test!
>
>No wonder businesses do not trust information security. No wonder the
>profession is not being taken as seriously as it should be.
>
>/*
>** Rant complete
>*/
>
>
>Regards
>Craig
>
>

------------------------------------------------------------------------------
This List Sponsored by: Lancope

"Discover the Security Benefits of Cisco NetFlow"
Learn how Cisco NetFlow enables cost-effective security across distributed
enterprise networks. StealthWatch, the veteran Network Behavior Analysis (NBA)
and Response solution, leverages Cisco NetFlow to provide scalable,
internal network security.
Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and Response
Systems in the Enterprise."

http://www.lancope.com/resource/
------------------------------------------------------------------------------