Penetration Testing mailing list archives

Re: Programming skills for Pen Testers

From: intel96 <intel96 () bellsouth net>
Date: Sun, 12 Feb 2006 13:08:26 -0500

I think having some basic programming skills are a must when doing
pen-testing and other security work (e.g. looking at virus code, finding
systems changes, etc.).  Over the years I have learned how to debug
code, decompile code, and even writing my own tools, because some of the
open source did not meet my requirements.  I subscribe to developer
magazine and forums to learn.  I even pay to have private one-on-one
classes with some of my commercial security tools developer friends to
learn more. 

In this fast pace security environment in pays to keep ahead of the
Jones................................ (and yes I have a life outside of
work ;)


FocusHacks wrote:

I honestly don't think that programming in C is any sort of a

prerequisite for a penetration tester.  It's perhaps a pre-requisite
for a security researcher.

There was a discussion not long ago where we talked about how many
pen-testers actually sit down, wade through other peoples' code look
for exploitable code, and write PoC code.  Not many pen-testers do
this.  First off, if a person has those sort of skills, they can
probably make more money in development QA than they can as a
pen-tester, and next off, that sort of task takes a LOT of time, and
they wouldn't have enough time in a week to get any pen-tests in, if
they were sitting in front of a computer all day long grokking code.

C++ is object oriented C.  If you learn C++, you'll learn C, and if
you learn C, learning C++ isn't hard, but learning how to think
object-oriented causes some people problems.

Most normal UNIX stuff is just written in plain old vanilla C, though.

On 2/9/06, johnny Mnemonic <security4thefainthearted () hotmail com> wrote:

ok we all know that in addition to good network, host and application
security skills, programming in C is a pre-requisite for a decent pen tester
or at least one who wants to write their own security tools or simply audit
the open source code they use. My question is, despite their similarities
should a pen tester be concentrating on C or C++ ? That's it!

Thanks.

_________________________________________________________________
Get MSN Hotmail alerts on your mobile.
http://mobile.msn.com/ac.aspx?cid=uuhp_hotmail


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



--
http://www.FocusHacks.com - The Ford Focus Modification Site!

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

Current thread:

Programming skills for Pen Testers johnny Mnemonic (Feb 10)
- RE: Programming skills for Pen Testers Terry Vernon (Feb 10)
  - RE: Programming skills for Pen Testers Muhammad Omar Khan (Feb 11)
- Re: Programming skills for Pen Testers Justin Ferguson (Feb 10)
- Re: Programming skills for Pen Testers FocusHacks (Feb 11)
  - Re: Programming skills for Pen Testers intel96 (Feb 12)
    - RES: Programming skills for Pen Testers 7978488 (Feb 12)
- Re: Programming skills for Pen Testers thomas springer (Feb 11)
  - Re: Programming skills for Pen Testers pagvac (Feb 11)
- RE: Programming skills for Pen Testers Sahir Hidayatullah (Feb 11)
- <Possible follow-ups>
- RE: Programming skills for Pen Testers Shenk, Jerry A (Feb 11)
  - RE: Programming skills for Pen Testers jeremiah (Feb 11)
- RE: Programming skills for Pen Testers Craig Wright (Feb 12)
  - RE: Programming skills for Pen Testers johnny Mnemonic (Feb 12)
  - Re: Programming skills for Pen Testers Jeremy Saintot (Feb 28)
    - Re: Programming skills for Pen Testers Justin Ferguson (Feb 28)

(Thread continues...)