“I’m Not a Coder” may not fly forever

• 23rd Thursday 2011
• dshackleford
• Information Security
• 15

So, I’ve spent the past month traveling all over the place, teaching and working with clients. I’ve taught two groups of people in the Middle East and Europe how to demolish Web applications. And it has been unbelievably fun, trust me. 🙂 However, I’ve become attuned to something that I think could be a problem in the infosec space in the near future: most security people are not coders. Now, I’m not admonishing those of you that are network types. Hell, I’ve really got more of a network background than anything. But I know C++, spent some time writing it, can crawl through Java, and can whip up some Perl and Python when I need it. And JavaScript? Yeah, I got that too. What I’m finding, though, when working with infosec teams around the globe, is that there’s a bit of apathy toward coding skills. Well, you heard it here, folks:

90% of your security problems are related to bad code, somewhere down the line.

And being a paranoid type, and a bit of a worrier about THINGS, I fear we’re losing some Kung Fu. What does the next generation of security folks look like? From what I can see, they’re even LESS inclined to code. This, in my opinion, is a problem. The 2011 Verizon DBIR mentions malware and hacking, all of which usually comes down to a patch, a flaw, a vulnerability. A piece, or pieces, of bad code. The number of Web application-related flaws is going up and up, particularly XSS (SQLi is steady, even down a slight bit, yay). We need to understand code, period. Here’s a few reasons why:

• Your organization’s developers need help. Think convincing the rank and file of your organization that security is important? Coders are under WAY more pressure to deliver projects in many cases, so security almost always takes a back seat. Help them.
• You need to understand what vulnerabilities mean, and what exploits are doing. That may include a bit of code.
• You need to crank out some scripts, or write a few simple programs, during security assignments (particularly pen tests).

These are just some ideas to get you started. But if you’re one of those security folks that routinely convinces yourself that you don’t need any coding skills, you really need to develop some. This is, in fact, a career development thing. Forget that latest shiny vendor widget. Learn some fundamentals. Here’s a few suggestions to get you started if you are new to this, or maybe even just rusty:

• Teach Yourself C++ in 24 Hours: This one is a great refresher if you’ve been away from code for awhile. Or a good intro to object-oriented programming.
• Python Programming for the Absolute Beginner: A *great* start in Python. A little basic, so you’ll want to expand, but this is hard to beat for beginners.
• Programming Python: Once you’ve finished the first two, get this. It rocks.
• Classic Shell Scripting: A killer fundamental book on shell scripting. Comes in handy a LOT.
• Wicked Cool Shell Scripts: They are, in fact, wicked cool. More importantly, you’ll learn to think outside the box. And that counts a LOT in security.

There’s plenty more. I have books on Ruby, Perl, and lots of other languages. Pick one you like! These are just some that are easy to work with and may help you ease back into the world of programming. I, for one, am not a talented programmer, and never claim to be. But I can pull it off, and I *get* code. There’s a solid chance you need to, as well.