Is Programming Necessary to be a Successful Hacker?
Summary
TLDRこのビデオスクリプトでは、セキュリティ分野でプログラミングが必要なかどうかについて議論しています。プログラミングはセキュリティの特定の分野では必要ない場合もありますが、プログラミングを知らないことは自分自身を不利な立場に置くことになるという意見が示されています。特に、セキュリティのスキルを向上させるためには、プログラミングの知識は非常に役立ちだと述べています。また、セキュリティの様々な側面でプログラミングがどのように役立つかについて、具体的な例を挙げて説明しています。最後に、プログラミングを学ぶことでセキュリティの専門知識を深め、より良い専門家になることができると結び付けています。
Takeaways
- 👨💻 プログラミングはセキュリティの専門家にとって必ずしも必要ではなく、タスクや職種によって異なる。
- 🔧 プログラミングを知らない場合でもセキュリティ分野で成果を上げる方法はあるが、スキルの限界に直面する可能性がある。
- 🛠️ 昔はプログラミングを使わずにセキュリティツールを実行して問題を検出することはできたが、今日ではプログラミングが役立つ。
- 💼 自動化されたセキュリティテストレポートを販売する会社もありますが、プログラミングを学ぶことでさらに価値を提供できる。
- 🔑 セキュリティのスキルを向上させるためには、単なるトリックや技を学ぶだけでなく、プログラミング能力を身につけることが望ましい。
- 🚀 プログラミングを学ぶことでセキュリティの分野でより高い脆弱性にアクセスできるようになる。
- 🛡️ クラウドセキュリティなどの分野では、プログラミングは必要ない場合もあるが、プログラミング能力は役立つ。
- 🔍 コードレビューやセキュリティ_AUDITINGでは、プログラミング能力が重要で、自動化されたツールの結果を理解するために必要。
- 🌐 ネットワークセキュリティにおいても、プログラミング能力は有用で、自動化されたリコンnaisanceなどを行う際に欠かせない。
- 🛠️ セキュリティにおけるツールの構築やファザーの開発にはプログラミング能力が必要で、それらを効果的に使用するためには理解が必要。
- 🔄 自動化はセキュリティの様々なタスクで重要な役割を果たし、プログラミング能力がその自動化を可能にする。
- 🔑 プログラミングを学ぶことでセキュリティの専門家は、問題解決能力や思考力が向上し、セキュリティの分野でより価値ある存在になる。
Q & A
このディスカッションシリーズはどの頻度でリリースされますか?
-このディスカッションシリーズは隔週木曜日にリリースされます。
プログラミングはセキュリティの仕事に必要ですか?
-プログラミングは必ずしも必要ではありませんが、仕事の種類やタスクによります。プログラミングが役立つ場面は多いです。
セキュリティの分野でプログラミングが必要でない場合はどのような仕事がありますか?
-クラウドセキュリティやIAM(Identity and Access Management)の権限管理など、プログラミングが必ずしも必要でない仕事があります。
プログラミングスキルがない場合、セキュリティの仕事でどのような制約がありますか?
-プログラミングスキルがないと、より高度な脆弱性を見つけることや、自動化されたツールを効果的に使用することが難しくなります。
セキュリティの仕事でプログラミングが役立つ理由は何ですか?
-プログラミングは、ツールの構築、スキャンの結果の理解、脆弱性のトリアージなど、多くの場面で役立ちます。また、プログラムの自動化により、作業の効率が向上します。
プログラミングができない場合、どのような方法で脆弱性を見つけることができますか?
-基本的なトリックを学ぶことで、いくつかの脆弱性を見つけることができます。しかし、そのような方法では高度な脆弱性を見逃す可能性があります。
コードレビューを行う際にプログラミングスキルが必要な理由は何ですか?
-コードレビューでは、コードを理解し、潜在的な脆弱性を特定するためにプログラミングスキルが必要です。
セキュリティの仕事でどのようなプログラミング言語を学ぶべきですか?
-C言語などのネイティブ言語、オブジェクト指向言語(例:Java、.NET)、および機能言語を学ぶことをお勧めします。
セキュリティの仕事において、自動化が重要である理由は何ですか?
-自動化は、スキャン、リコン(偵察)、および脆弱性の特定など、多くのタスクを効率的に行うために重要です。
セキュリティの分野でのスクリプトキディとは何ですか?
-スクリプトキディとは、他人が作成した既存のツールやスクリプトを使用して脆弱性を探す人のことを指します。独自のスキルや知識が乏しい場合が多いです。
Outlines
💻 プログラミングとセキュリティの関係
この段落では、プログラミングがセキュリティ仕事に必要なスキルかどうかについて議論されています。議論者は、プログラミングが必ずしも必要なわけではなく、タスクやジョブによって異なると述べています。しかし、プログラミングを知らない場合、セキュリティ分野で不利になる可能性があると指摘しています。過去10〜15年ほど前には、既存のツールを実行するだけでセキュリティの分析ができた時代がありましたが、今日ではプログラミングが多くの場面で役立つと語っています。
🔒 プログラミングスキルの欠如とセキュリティ
この段落では、プログラミングスキルがなくてもセキュリティの基本的な分析は可能であるが、そのスキルがないとセキュリティの上限に達することが困難であると述べています。プログラミングを知らない場合、特定の脆弱性を見つけることができないという問題や、セキュリティのスキルを向上させるためにプログラミングスキルが必要であることが強調されています。また、クラウドセキュリティやIAMの例を挙げ、プログラミングが役立つ場面があると述べています。
🛡️ 防御側でのプログラミングの重要性
この段落では、防御側のセキュリティ分野でプログラミングがより必要であると主張しています。プログラミングを知らない場合、特定のタスクを実行することは可能ですが、システム管理の側面でスクリプト言語が必要な可能性があると述べています。また、コードレビューやペンテストツールの構築、ファザーの開発など、プログラミングスキルが重要であることが強調されています。
🔧 プログラミングスキルとセキュリティの関連性
最後の段落では、プログラミングスキルがセキュリティの専門知識にどのように関連しているかについて議論しています。プログラミングを知ることで、セキュリティの問題をより深く理解し、アプリケーションやネットワークの動作を把握することができます。また、プログラミングを学ぶことで、問題解決の方法や思考の方法が変わり、セキュリティ分野でのスキル向上に役立つと述べています。
Mindmap
Keywords
💡プログラミング
💡セキュリティ
💡ハッキング
💡自動化
💡セキュリティツール
💡コードレビュー
💡脆弱性
💡スクリプト・キティ
💡クラウドセキュリティ
💡ファザー
Highlights
The necessity of programming in security work varies depending on the job or task.
Not knowing programming can put one at a disadvantage in modern security practices.
A decade ago, one could manage without extensive programming knowledge by using existing tools.
There are security tasks, such as using automated pen test reports, that can be done without programming but are less valuable.
Learning basic tricks can lead to finding vulnerabilities but limits one's skill ceiling.
Programming knowledge helps in creating and understanding custom tools and scripts for security.
Script kiddies, who rely on existing exploit scripts, limit their potential in security.
Some areas of security, like cloud security with IAM permissions, may not require programming but can benefit from it.
Programming is more necessary on the defensive side for tasks like automating system administration.
Code review and auditing are significantly enhanced with programming skills.
Understanding code is crucial for effectively triaging findings from automated tools.
Fuzzing has become a standard part of vulnerability research and requires programming.
Manual auditing is essential, but fuzzers provide additional findings that are now part of the process.
Triage skills are necessary for understanding and acting on the results of security scans.
Programming knowledge helps in visualizing how applications are built and how they might be exploited.
Having a basic understanding of programming is sufficient for most security roles.
Programming teaches problem-solving skills that can be applied to security.
For code reviews, having experience with multiple programming languages is beneficial.
Upcoming video will discuss which programming languages are good for security and their reasons.
Learning to program is recommended for those aiming to improve their security skills.
Transcripts
[Music]
hello everyone
welcome to another discussion video in
the discussion series we're releasing
bi-weekly on thursdays
and this one goes into is programming
necessary for security work
so you know in these videos we we give
our
you know opinions up front and mine my
opinion here is not necessarily it
depends on
uh you know the type of job or task
you're trying to do
um so i'll let you jump in there z and
state what you think on that yeah i
pretty much agree like there are areas
of security where
programming maybe isn't necessary
that said you're definitely putting
yourself at a disadvantage by not
knowing me in this day
programming is going to help you out in
so many ways regardless of it being
security
but i mean without kind of focusing
ourselves in on
traditionally what you might call
hacking um
if you go back in time like uh you know
10 15 years ago you could definitely get
away without a lot of programming
knowledge just running some of the
existing tooling that's out there
that was being released especially close
to the 10 years ago
a lot of tools coming out a lot of
things that you can just kind of run and
companies still
actually make you know they'll sell just
an automated pen test report
you know running whatever automated
tester they've got
run that gets report ship it off to the
client and charge them
however much they want for it so you can
still kind of make money you can still
profit without that but
i'm hoping most of our listeners
actually kind of care about the skill
that's
part of the craft rather than just doing
the bare minimum to get money
uh kind of leaving yourself on the no
side when it comes to as
you can make money you can actually make
a good bit of progress without needing a
lot of programming skill
you can learn some of the basic tricks
you know putting in a going around the
internet putting in a single quote into
a bunch of text boxes
you're probably still going to find some
maybe not as much as you would if a
while back but
you're still going to find things but
you're basically just learning a bunch
of
tricks to do that so like i said that
single quote
do the same thing with your angle
brackets double quotes whatever
look for cross-site scripting um looking
for eye door type issues again just
change a number in a url like you can
learn these tricks you can do them you
can find
plenty of issues that way and actually
be fairly
fairly productive doing that but there's
the skill ceiling
um no matter what you do if you're not
able to do any programming if you're not
able to do anything that work yourself
you're just limiting yourself
yeah i mean the problem with tricks is
it's easy to miss
issues that wouldn't be caught by using
those common tricks and that's like
you know as soon as you use that trick
you don't really know how to augment it
or modify it to
potentially find an issue that could
still exist it's just not as easily
hittable
yeah because they have some kind of
filter in front of it or something
that's maybe not adequate but is
adequate enough to prevent those tricks
from doing anything
yeah that's kind of the thing it's that
part that's that skill ceiling that was
mentioning is
you're not at the point of being able to
hit the harder vulnerabilities if you're
just doing those tricks
uh i mean it is traditionally like what
i would call a script kitty who's doing
that even if they are
manually uh doing some of these exploits
i do think with the advent of web
exploitation script kitty has kind of
lost its meaning just because of how
how the web has kind of impacted
vulnerabilities versus when
people were just kind of running around
with existing existing kind of released
exploit scripts um
that said i mean you you kind of put
yourself into that sort of category
you're not
you're not providing much value
you're just kind of you can still be
productive though
is i guess my main point like you can be
productive but
your value really isn't there it's about
as valuable as any other company just
running an automated scanner
so there are some areas where i think
programming isn't really necessary
and uh what came to mind when i was
thinking of this was
on the last podcast we did which was
episode 48 uh we we covered cloud
security stuff
you know with aws and talked about iam
permissions and stuff like that
managing those kinds of permissions i
would still consider security and you
don't really need
programming experience to do um though i
think programming experience might be
beneficial for doing that but i don't
think you absolutely need it
that was one area i was kind of thinking
of even on that podcast episode
they uh used some programming to
automate
uh enumerating the various um various
roles that they were able to access and
definitely made heavy use of programming
skill
in order to do or in order to pull off
their attack
i mean you setting it up on the
defensive side sure but actually i'd
argue that on the defensive side
programming becomes a little bit more
necessary
you could do that particular task
without it
but anybody who's doing that task is
probably doing a lot more of the
sysadmin side things too
which you're probably going to want at
least kind of your daily driver
scripting language for that said
i don't really want to focus on like the
defensive side too much
just because i haven't worked while i
worked as a
developer with some security folks but i
haven't really worked on that blue side
too actively yeah that's fair
um my main point though is when it comes
to auditing like code review and stuff
like that it becomes a lot more
important
you know with with code review
especially it's kind of in the name
um you know like you were saying earlier
there are some automated things where
you might not necessarily need it
you know when you're getting into like
running meta split modules stuff like
that
but especially when it comes to building
tools for pen testing
uh building scanners fuzzers that kind
of stuff
you definitely need programming
experience to be able to do and even if
you're just running tools and not
necessarily building them
you want to be able to understand what
you're looking at when you find things
or
you get reports from automated tooling
so that you can triage it
and you know in order to do that you you
probably do need to understand the code
to some degree
that's actually i think a really
important point on the
building fuzzers kind of jumping back a
little bit but
automation so we're talking about
fuzzers right now but um
other areas like in terms of more
general pen tasks so if you go more on
the network security side of things
you still need to automate like there's
so much more automation going on when it
comes to recon and stuff
um and just as part of the normal task
like there's a lot of automation that
happens
that you're really at a disadvantage if
you can't
develop your own tooling just to hit
some endpoint to enumerate something
whatever
so as we're even saying with the cloud
thing like they use some of the
they wrote a script to enumerate what
was available
um through the i am rules uh
so i mean like the programming you know
is going to augment everything and
these days i think you know fuzzing
especially on the exploit development
side of things and vulnerability
research
buzzing has kind of become the key thing
that yes i mean manual auditing is still
essential
but having the fuzzer going having a
fuzzer giving you some findings has just
become a standard part of the process
now
uh that you basically you need
programming in order to be able to do
that just even on like a small
uh small little project you know a
little web app you just quickly script
up all of the end points you've got and
toss a quick fuzz right and see what
happens
so i mean it's definitely essential
there going back there on your second
point though triaging
um yeah i mean when you're that
also uh i guess that triaging from the
crashes knowing the results of any of
the scans so
while i do kind of hate on the companies
that just provide like a scan report
scans are valuable there's a chance that
it might notice something you missed but
it's also
it's just kind of a safety net in a
sense like you just run it you see what
it gives you and it might give you
some place they're looking at manually
and being able to understand the results
and kind of uh
like the term grok or intuitively
understand the results
being able to look at those results and
then work off of that so when it comes
to the triaging
you definitely need that when you're
looking at a crash dump or something but
it also just comes to the output of
any of us any scanners like you might
understand that saying like hey here's
an issue and here's kind of what happens
but how you take advantage of that issue
to actually do something important
is kind of where it could help to have
the programming knowledge to understand
how the application might be built
what components say maybe a trust and
just kind of have that visualization and
i said before that intuitive
understanding
yeah so overall i think even though
programming might not be necessary for
every type of job
it's an overall benefit and there's no
reason not to learn it
um because it's only going to benefit
you right it's not going to draw back on
you at all really
um i do kind of want to clarify though
when we say you know knowing programming
and stuff i don't mean
you know you need to become a
full-fledged software engineer knowing
like
you know the ins and outs of cs and
algorithms and all that stuff
um unless you're auditing something
that's specifically entrenched in those
areas of like algorithms and whatnot
um i think for whatever reason people
think that if you don't know all the ins
and outs of like devops and
and software engineering that you can't
do security and i think that's a little
bit
too far past the line um i just don't
think that's true at all for most cases
yeah for a lot of security i mean you're
not
you need to have a general understanding
about how applications are built kind of
what's going on behind the scenes
especially when you're dealing with like
a black box environment
where you see the ui but you haven't
really gone in or you can't in some
cases reverse engineer the actual code
but you can look at what's happening on
the front and be like okay this is
probably this in the back end
how this kind of works how this fits
together so you need to understand how
applications are kind of built or how
networks are configured on like the
network security side of things you
don't need to be like the greatest
programmer and being like a amazing
programmer
doesn't translate into security ability
either
uh no doubt having that understanding
helps
but i mean there's kind of the
diminishing returns at a certain point
once you kind of have your basics down
security becomes reasonably accessible
like if you could build a similar app to
what you're targeting
um and by similar i do mean like much
lesser quality
you know like i don't expect you to know
how to write
like a full-scale linux kernel uh before
you can actually start attacking it but
like if you
understand the basics of operating
systems it's at least approachable to
you
then you can start jumping into the
security side of things
and a point i'll throw on there too is
just the the programmer way of
you know thinking and problem solving in
and of itself
uh can be useful for figuring how to how
figuring out how somebody would like try
to circumvent permissions or something
for example
so even where programming isn't used
directly what it teaches you and the way
of thinking
it it you know molds you to think
i think that could be transferable so
yeah and i guess one other things you
know if you're doing a code review you
kind of need to know how to program
part of the thing is actually on that
note
you don't you don't necessarily need to
be as we've already said like the most
amazing programmer out there
you do kind of need some experience with
different languages though
usually somebody who's done security
isn't just going to know one language
i think some areas you can kind of get
away with a single language where it
comes down to like automating recon and
stuff you can maybe get away with just
some like python or like that daily
drive
language uh but when it comes if you're
doing kind of the code review
level doing doing stuff at that level
you kind of need to have an
understanding of several different
languages
rather than just one but um
you'll start noticing a lot of
similarities between languages so you're
kind of able to pick things up
really quickly once you've kind of
started learning one or two languages um
i tend to recommend like a um
a native language like c and then learn
object oriented because
it's used all over in enterprise
code.net stuff is using it java stuff
um so like you see those two a lot and
then a functional language kind of
be an edge case on some of the other
weird things you might run into and
that kind of catches you up on uh
most things you're going to run into in
terms of like doing code reviews uh
you'll be able to pick up
almost any language if you kind of have
those fundamentals
so our next video will be going into
programming languages
and you know which ones are good to know
for security and for what reasons and
stuff like that so keep a look out for
that
in uh in the next two weeks time that
way you know you can
you can get kind of both parts to uh
this discussion
that said i think on this discussion
specifically we'll we'll wrap it up here
unless you have any last-minute thoughts
see no
i guess i would just end off by saying
if you want to actually you know get
good
and have some decent skill which i think
you should probably aim for
yes just start learning to program if
you don't know that already
all right so i'll end off by saying we
do have our
day zero podcast if some of you you know
haven't heard of that
we we run those on monday at 3 pm
eastern 12 pm pacific
so check those out if you haven't
already we also have these discussion
videos every two weeks on thursdays
usually they're released around the
morning i think around 8 a.m or so is
when we try to get them out
so keep a lookout for those other than
that though we will see you guys in the
next discussion video
Ver Más Videos Relacionados
5.0 / 5 (0 votes)