Is Programming Necessary to be a Successful Hacker?

00:01

[Music]

00:08

hello everyone

00:09

welcome to another discussion video in

00:11

the discussion series we're releasing

00:12

bi-weekly on thursdays

00:14

and this one goes into is programming

00:16

necessary for security work

00:18

so you know in these videos we we give

00:20

our

00:21

you know opinions up front and mine my

00:23

opinion here is not necessarily it

00:25

depends on

00:26

uh you know the type of job or task

00:29

you're trying to do

00:30

um so i'll let you jump in there z and

00:33

state what you think on that yeah i

00:36

pretty much agree like there are areas

00:38

of security where

00:40

programming maybe isn't necessary

00:44

that said you're definitely putting

00:45

yourself at a disadvantage by not

00:46

knowing me in this day

00:49

programming is going to help you out in

00:51

so many ways regardless of it being

00:53

security

00:54

but i mean without kind of focusing

00:56

ourselves in on

00:59

traditionally what you might call

01:00

hacking um

01:04

if you go back in time like uh you know

01:07

10 15 years ago you could definitely get

01:09

away without a lot of programming

01:10

knowledge just running some of the

01:12

existing tooling that's out there

01:14

that was being released especially close

01:16

to the 10 years ago

01:17

a lot of tools coming out a lot of

01:18

things that you can just kind of run and

01:20

companies still

01:21

actually make you know they'll sell just

01:24

an automated pen test report

01:26

you know running whatever automated

01:28

tester they've got

01:29

run that gets report ship it off to the

01:32

client and charge them

01:33

however much they want for it so you can

01:36

still kind of make money you can still

01:37

profit without that but

01:39

i'm hoping most of our listeners

01:40

actually kind of care about the skill

01:42

that's

01:43

part of the craft rather than just doing

01:45

the bare minimum to get money

01:47

uh kind of leaving yourself on the no

01:50

side when it comes to as

01:51

you can make money you can actually make

01:54

a good bit of progress without needing a

01:56

lot of programming skill

01:57

you can learn some of the basic tricks

01:59

you know putting in a going around the

02:01

internet putting in a single quote into

02:03

a bunch of text boxes

02:04

you're probably still going to find some

02:06

maybe not as much as you would if a

02:08

while back but

02:09

you're still going to find things but

02:11

you're basically just learning a bunch

02:12

of

02:13

tricks to do that so like i said that

02:14

single quote

02:16

do the same thing with your angle

02:17

brackets double quotes whatever

02:19

look for cross-site scripting um looking

02:22

for eye door type issues again just

02:24

change a number in a url like you can

02:26

learn these tricks you can do them you

02:27

can find

02:28

plenty of issues that way and actually

02:30

be fairly

02:33

fairly productive doing that but there's

02:35

the skill ceiling

02:36

um no matter what you do if you're not

02:38

able to do any programming if you're not

02:40

able to do anything that work yourself

02:42

you're just limiting yourself

02:46

yeah i mean the problem with tricks is

02:48

it's easy to miss

02:49

issues that wouldn't be caught by using

02:51

those common tricks and that's like

02:53

you know as soon as you use that trick

02:54

you don't really know how to augment it

02:56

or modify it to

02:58

potentially find an issue that could

03:00

still exist it's just not as easily

03:02

hittable

03:03

yeah because they have some kind of

03:04

filter in front of it or something

03:05

that's maybe not adequate but is

03:07

adequate enough to prevent those tricks

03:09

from doing anything

03:10

yeah that's kind of the thing it's that

03:12

part that's that skill ceiling that was

03:14

mentioning is

03:15

you're not at the point of being able to

03:17

hit the harder vulnerabilities if you're

03:18

just doing those tricks

03:20

uh i mean it is traditionally like what

03:24

i would call a script kitty who's doing

03:26

that even if they are

03:27

manually uh doing some of these exploits

03:30

i do think with the advent of web

03:32

exploitation script kitty has kind of

03:34

lost its meaning just because of how

03:38

how the web has kind of impacted

03:40

vulnerabilities versus when

03:42

people were just kind of running around

03:43

with existing existing kind of released

03:46

exploit scripts um

03:49

that said i mean you you kind of put

03:51

yourself into that sort of category

03:52

you're not

03:54

you're not providing much value

03:57

you're just kind of you can still be

04:00

productive though

04:01

is i guess my main point like you can be

04:03

productive but

04:04

your value really isn't there it's about

04:06

as valuable as any other company just

04:08

running an automated scanner

04:12

so there are some areas where i think

04:14

programming isn't really necessary

04:16

and uh what came to mind when i was

04:18

thinking of this was

04:19

on the last podcast we did which was

04:21

episode 48 uh we we covered cloud

04:23

security stuff

04:24

you know with aws and talked about iam

04:26

permissions and stuff like that

04:28

managing those kinds of permissions i

04:30

would still consider security and you

04:32

don't really need

04:33

programming experience to do um though i

04:36

think programming experience might be

04:37

beneficial for doing that but i don't

04:38

think you absolutely need it

04:41

that was one area i was kind of thinking

04:42

of even on that podcast episode

04:44

they uh used some programming to

04:47

automate

04:48

uh enumerating the various um various

04:51

roles that they were able to access and

04:53

definitely made heavy use of programming

04:55

skill

04:56

in order to do or in order to pull off

04:59

their attack

05:01

i mean you setting it up on the

05:03

defensive side sure but actually i'd

05:05

argue that on the defensive side

05:07

programming becomes a little bit more

05:09

necessary

05:10

you could do that particular task

05:12

without it

05:13

but anybody who's doing that task is

05:15

probably doing a lot more of the

05:17

sysadmin side things too

05:18

which you're probably going to want at

05:21

least kind of your daily driver

05:22

scripting language for that said

05:26

i don't really want to focus on like the

05:30

defensive side too much

05:32

just because i haven't worked while i

05:34

worked as a

05:36

developer with some security folks but i

05:37

haven't really worked on that blue side

05:39

too actively yeah that's fair

05:43

um my main point though is when it comes

05:45

to auditing like code review and stuff

05:47

like that it becomes a lot more

05:48

important

05:49

you know with with code review

05:50

especially it's kind of in the name

05:52

um you know like you were saying earlier

05:55

there are some automated things where

05:56

you might not necessarily need it

05:58

you know when you're getting into like

05:59

running meta split modules stuff like

06:00

that

06:01

but especially when it comes to building

06:03

tools for pen testing

06:04

uh building scanners fuzzers that kind

06:07

of stuff

06:08

you definitely need programming

06:09

experience to be able to do and even if

06:11

you're just running tools and not

06:13

necessarily building them

06:14

you want to be able to understand what

06:16

you're looking at when you find things

06:18

or

06:18

you get reports from automated tooling

06:21

so that you can triage it

06:23

and you know in order to do that you you

06:25

probably do need to understand the code

06:27

to some degree

06:28

that's actually i think a really

06:29

important point on the

06:31

building fuzzers kind of jumping back a

06:33

little bit but

06:36

automation so we're talking about

06:38

fuzzers right now but um

06:40

other areas like in terms of more

06:42

general pen tasks so if you go more on

06:44

the network security side of things

06:46

you still need to automate like there's

06:47

so much more automation going on when it

06:49

comes to recon and stuff

06:51

um and just as part of the normal task

06:54

like there's a lot of automation that

06:56

happens

06:57

that you're really at a disadvantage if

06:59

you can't

07:00

develop your own tooling just to hit

07:02

some endpoint to enumerate something

07:04

whatever

07:05

so as we're even saying with the cloud

07:07

thing like they use some of the

07:08

they wrote a script to enumerate what

07:10

was available

07:12

um through the i am rules uh

07:16

so i mean like the programming you know

07:18

is going to augment everything and

07:20

these days i think you know fuzzing

07:23

especially on the exploit development

07:24

side of things and vulnerability

07:26

research

07:27

buzzing has kind of become the key thing

07:29

that yes i mean manual auditing is still

07:31

essential

07:33

but having the fuzzer going having a

07:34

fuzzer giving you some findings has just

07:37

become a standard part of the process

07:39

now

07:40

uh that you basically you need

07:42

programming in order to be able to do

07:43

that just even on like a small

07:46

uh small little project you know a

07:48

little web app you just quickly script

07:50

up all of the end points you've got and

07:52

toss a quick fuzz right and see what

07:53

happens

07:55

so i mean it's definitely essential

07:56

there going back there on your second

07:58

point though triaging

08:00

um yeah i mean when you're that

08:03

also uh i guess that triaging from the

08:05

crashes knowing the results of any of

08:07

the scans so

08:08

while i do kind of hate on the companies

08:10

that just provide like a scan report

08:13

scans are valuable there's a chance that

08:15

it might notice something you missed but

08:16

it's also

08:17

it's just kind of a safety net in a

08:20

sense like you just run it you see what

08:22

it gives you and it might give you

08:23

some place they're looking at manually

08:25

and being able to understand the results

08:27

and kind of uh

08:28

like the term grok or intuitively

08:30

understand the results

08:32

being able to look at those results and

08:33

then work off of that so when it comes

08:35

to the triaging

08:36

you definitely need that when you're

08:37

looking at a crash dump or something but

08:39

it also just comes to the output of

08:42

any of us any scanners like you might

08:45

understand that saying like hey here's

08:47

an issue and here's kind of what happens

08:49

but how you take advantage of that issue

08:50

to actually do something important

08:52

is kind of where it could help to have

08:54

the programming knowledge to understand

08:56

how the application might be built

08:58

what components say maybe a trust and

09:00

just kind of have that visualization and

09:02

i said before that intuitive

09:06

understanding

09:08

yeah so overall i think even though

09:11

programming might not be necessary for

09:12

every type of job

09:14

it's an overall benefit and there's no

09:16

reason not to learn it

09:18

um because it's only going to benefit

09:20

you right it's not going to draw back on

09:21

you at all really

09:22

um i do kind of want to clarify though

09:25

when we say you know knowing programming

09:26

and stuff i don't mean

09:28

you know you need to become a

09:29

full-fledged software engineer knowing

09:31

like

09:31

you know the ins and outs of cs and

09:33

algorithms and all that stuff

09:35

um unless you're auditing something

09:37

that's specifically entrenched in those

09:39

areas of like algorithms and whatnot

09:41

um i think for whatever reason people

09:44

think that if you don't know all the ins

09:45

and outs of like devops and

09:47

and software engineering that you can't

09:48

do security and i think that's a little

09:50

bit

09:50

too far past the line um i just don't

09:54

think that's true at all for most cases

09:57

yeah for a lot of security i mean you're

09:59

not

10:00

you need to have a general understanding

10:02

about how applications are built kind of

10:04

what's going on behind the scenes

10:05

especially when you're dealing with like

10:07

a black box environment

10:08

where you see the ui but you haven't

10:11

really gone in or you can't in some

10:12

cases reverse engineer the actual code

10:15

but you can look at what's happening on

10:16

the front and be like okay this is

10:18

probably this in the back end

10:20

how this kind of works how this fits

10:21

together so you need to understand how

10:23

applications are kind of built or how

10:26

networks are configured on like the

10:28

network security side of things you

10:30

don't need to be like the greatest

10:32

programmer and being like a amazing

10:35

programmer

10:36

doesn't translate into security ability

10:38

either

10:40

uh no doubt having that understanding

10:42

helps

10:44

but i mean there's kind of the

10:46

diminishing returns at a certain point

10:48

once you kind of have your basics down

10:50

security becomes reasonably accessible

10:52

like if you could build a similar app to

10:54

what you're targeting

10:57

um and by similar i do mean like much

10:59

lesser quality

11:00

you know like i don't expect you to know

11:02

how to write

11:03

like a full-scale linux kernel uh before

11:07

you can actually start attacking it but

11:08

like if you

11:09

understand the basics of operating

11:10

systems it's at least approachable to

11:13

you

11:14

then you can start jumping into the

11:15

security side of things

11:18

and a point i'll throw on there too is

11:20

just the the programmer way of

11:22

you know thinking and problem solving in

11:24

and of itself

11:25

uh can be useful for figuring how to how

11:28

figuring out how somebody would like try

11:30

to circumvent permissions or something

11:31

for example

11:32

so even where programming isn't used

11:34

directly what it teaches you and the way

11:36

of thinking

11:37

it it you know molds you to think

11:40

i think that could be transferable so

11:44

yeah and i guess one other things you

11:46

know if you're doing a code review you

11:47

kind of need to know how to program

11:50

part of the thing is actually on that

11:51

note

11:53

you don't you don't necessarily need to

11:55

be as we've already said like the most

11:57

amazing programmer out there

12:00

you do kind of need some experience with

12:02

different languages though

12:03

usually somebody who's done security

12:05

isn't just going to know one language

12:08

i think some areas you can kind of get

12:09

away with a single language where it

12:11

comes down to like automating recon and

12:13

stuff you can maybe get away with just

12:14

some like python or like that daily

12:16

drive

12:17

language uh but when it comes if you're

12:20

doing kind of the code review

12:22

level doing doing stuff at that level

12:25

you kind of need to have an

12:27

understanding of several different

12:28

languages

12:30

rather than just one but um

12:33

you'll start noticing a lot of

12:34

similarities between languages so you're

12:36

kind of able to pick things up

12:38

really quickly once you've kind of

12:39

started learning one or two languages um

12:41

i tend to recommend like a um

12:45

a native language like c and then learn

12:48

object oriented because

12:49

it's used all over in enterprise

12:51

code.net stuff is using it java stuff

12:55

um so like you see those two a lot and

12:57

then a functional language kind of

12:59

be an edge case on some of the other

13:00

weird things you might run into and

13:02

that kind of catches you up on uh

13:06

most things you're going to run into in

13:07

terms of like doing code reviews uh

13:09

you'll be able to pick up

13:10

almost any language if you kind of have

13:12

those fundamentals

13:16

so our next video will be going into

13:18

programming languages

13:19

and you know which ones are good to know

13:20

for security and for what reasons and

13:22

stuff like that so keep a look out for

13:24

that

13:24

in uh in the next two weeks time that

13:27

way you know you can

13:28

you can get kind of both parts to uh

13:30

this discussion

13:31

that said i think on this discussion

13:33

specifically we'll we'll wrap it up here

13:35

unless you have any last-minute thoughts

13:36

see no

13:38

i guess i would just end off by saying

13:40

if you want to actually you know get

13:42

good

13:43

and have some decent skill which i think

13:46

you should probably aim for

13:47

yes just start learning to program if

13:50

you don't know that already

13:52

all right so i'll end off by saying we

13:54

do have our

13:56

day zero podcast if some of you you know

13:58

haven't heard of that

13:59

we we run those on monday at 3 pm

14:01

eastern 12 pm pacific

14:02

so check those out if you haven't

14:04

already we also have these discussion

14:06

videos every two weeks on thursdays

14:08

usually they're released around the

14:10

morning i think around 8 a.m or so is

14:11

when we try to get them out

14:12

so keep a lookout for those other than

14:14

that though we will see you guys in the

14:16

next discussion video