Cybersecurity is a diverse field, containing a large number of different roles. A cybersecurity professional can have an offensive or defensive and specialize in any of a number of different subfields.
However, across the industry, certain knowledge and skill sets are essential to success. One of these common skill sets is at least a fundamental knowledge of programming and how it fits into the field of cybersecurity.
Cybersecurity experts aren’t developers, and, despite having some similar skill sets, they can have very different focuses. A developer’s focus is writing code that does its job, is efficient, and is shipped on schedule. A security expert’s goal is making sure that the code is secure and doesn’t expose the company or its customers to unnecessary risk.
That said, while hackers aren’t developers, having familiarity with a language or two is a huge asset for a hacker. A large part of cybersecurity is either breaking code or finding ways to fix it, so understanding how to read and write a program is a necessary skill.
For this reason, the ability to program is a necessary starting point for a career in cybersecurity. Understanding the ecosystem where code runs, the different classes of vulnerabilities that can exist in a program, and how to automate common and simple tasks via scripting are all a crucial part of breaking into cybersecurity.
Understanding cybersecurity fundamentals
Software is written to run on computers, which are complicated systems. Additionally, this software can be designed to interact with other software and other computers, which only adds to the mess. If you want to write programs — or break them — then it is essential to understand the environments in which these applications run.
This is true whether you want to fix vulnerabilities or exploit them as a penetration tester. In most cases, if a vulnerability exists within an application, it probably has to do with some low-level component. Understanding how the vulnerability works and what went wrong requires an understanding of these low-level components.
For example, buffer overflow vulnerabilities — a class of vulnerabilities that include three of the top five vulnerabilities in the Common Weakness Enumeration (a well-regarded list of software issues) Top 25 list of the most dangerous software weaknesses — deal with the improper use of memory.
The takeaway here is that if you understand how an application interacts with the memory on a computer and the functions used for memory allocation, then buffer overflow vulnerabilities are a simple concept. On the other hand, if you don’t know what the stack is, understanding the implications of a buffer overflow vulnerability for application security will be much harder.
Similarly, other low-level components can go wrong in a variety of different ways.
Identifying when something is wrong with an application requires an understanding of how to interact with these low-level components correctly.
For this reason, understanding the fundamentals of computers and networking is an invaluable skill for a hacker. Pick a topic (memory, networking, etc.) and take the time to understand how things work at a high level and how to use these components correctly. When you have a good grasp of one area, move on to another. This understanding of the fundamentals of how IT systems work is an invaluable resource in any area of cybersecurity.
The good news too is that there has never been a better time to learn about hacking and computer programming on your own. There are so many resources available on the internet to help get started. Check out the further reading list at the bottom.
Finding the vulnerabilities
Once you know how everything is supposed to work, the next step is learning how everything can go wrong. Understanding common vulnerabilities and how they work will enable you to identify the same errors in different applications.
If you’re tracking vulnerability stats, it may seem like new types of attacks are being discovered every day. For the last few years, over 22,000 new vulnerabilities have been discovered each year, according to one study done by the vulnerability intelligence firm, Risk Based Security . If you focus on the numbers like this, the thought of learning how all of these different vulnerabilities work may seem overwhelming.
However, the truth is that software security hasn’t changed much over the years and it wasn’t very diverse in the first place. These massive numbers of vulnerabilities exist because developers keep making the same mistakes in different applications. For example, there are currently over 148,000 Common Vulnerabilities and Exposures (CVEs) — which are publicly reported vulnerabilities — but these vulnerabilities are classified into only 916 different CWEs.
For example, take a look at the Open Web Application Security Project (OWASP) Top Ten list of common web application vulnerabilities. This is one of the most famous cybersecurity resources in existence and lists the most common vulnerabilities in web applications at the time it is published (every few years).
More specifically, focus on the Release Notes, which describe the changes between 2013 and 2017 (the most recent version). The newest version has three new vulnerabilities, two that were bumped from the list, and two that were merged into a single vulnerability. In summary, not much has changed in the last eight years. The same is largely true for earlier versions of the list as well back to when it was first created in 2003.
This means that, if you understand the vulnerabilities described in the OWASP Top Ten, the CWE Top 25, and similar lists, you understand the vast majority of the vulnerabilities that you are likely to encounter as a hacker. Dive into these lists and work to understand how these vulnerabilities work rather than the specific implementations. This — combined with an understanding of programming — should enable you to identify vulnerable code regardless of what it looks like.
Once you understand the core vulnerability, take some time to read up on remediations, variations, and workarounds. For example, the use of a token is a common mitigation against cross-site request forgery (CSRF) attacks. Many platforms include CSRF defenses, but they don’t always work. Understanding how and why a particular defense works helps you to spot cases where it doesn’t.
Scripting and Automation
So far, we’ve been talking about programming as a means to achieving some other cybersecurity goal. For example, you need to understand code to break it or to fix it when it’s broken, so a basic understanding of programming and the various types of vulnerabilities is required knowledge for a cybersecurity practitioner.
However, the ability to program is also a useful asset in and of itself for cybersecurity. The field of cybersecurity is fast-moving, meaning that a hacker needs to be able to respond quickly to events. Additionally, the networks that hackers need to defend or attack are growing larger and larger and can contain a greater variety of systems. Attempting to do everything by hand is an unscalable solution, making automation an invaluable resource for the cybersecurity practitioner.
For this reason, an understanding of at least one common scripting language is a huge asset for a cybersecurity professional. Scripting languages are designed to be flexible and easy to use, which makes it possible to quickly develop programs to accomplish a particular task.This is useful across the board in cybersecurity whether a hacker needs to collect log data to investigate a potential incident or automate a scan or exploit against a potential vulnerability.
When selecting a scripting language to learn, Python is always a good choice. It is designed to be easy to learn and, through its vast array of libraries, is capable of doing some truly incredible things. If you haven’t chosen a language to learn to program in yet, give Python a try. If you already know how to program, then learning Python is largely a matter of reading up on syntax and getting comfortable with using indentation to define blocks of code instead of curly braces.
However, despite Python’s numerous advantages, it isn’t enough for a cybersecurity expert. To be a hacker, you also need to be comfortable working in the command line. Many programs that are commonly used in cybersecurity are only available with command line interfaces, which makes a fear of the terminal a challenge in cybersecurity. Additionally, terminal applications like grep can be extremely powerful tools. Even a basic understanding of how to use the terminal is a huge benefit for cybersecurity.
Getting started with programming for cybersecurity
Cybersecurity is a big field that includes a lot of different pieces. There can be a lot to learn, and, without a plan, it can seem overwhelming.
Starting with something interesting is always a good idea. If you want to understand the theory behind cybersecurity, dig into some of the fundamentals and learn about computer memory or the network stack. On the other hand, if you want to be able to do something immediately, getting some experience with a programming language may be a better introduction to cybersecurity. Check out this guide to coding for cybersecurity to see a discussion of the pros and cons of various programming languages.
Getting started is always the hardest part, and, once you understand one part of cybersecurity, other parts become easier to learn. Everything in cybersecurity is interconnected, and a solid grasp of the fundamentals will make understanding the latest big-name vulnerability and how to exploit or patch it much much easier.
Sources and further reading
- Common Weaknesses Enumeration (CWE): The CWE is a hierarchical system for classifying vulnerabilities. It has a number of useful views, including the Top 25 list of the most dangerous CWEs and language-specific lists.
- Open Web Application Security Project (OWASP): OWASP is a project devoted to improving developer knowledge of web application security threats. It is most famous for its Top Ten list but also offers other useful vulnerability lists and a wide range of security resources.
- Common Vulnerabilities and Exposures (CVE): CVEs are unique identifiers assigned to publicly reported vulnerabilities. This makes it possible to read about a particular flaw across multiple sources (which may otherwise name or number it differently).
- Coding for Cybersecurity Guide: This article outlines the advantage of various programming languages for cybersecurity. It also highlights recommended bootcamps for learning to program.