Breaking into Cyber Security: Programming Languages
Since I wrote my article on “How to break into the CyberSec industry” I’ve received a lot of Direct Messages on Twitter, comments on the blog post, Private Messages on Reddit and a few messages on LinkedIn regarding how big part programming has in Cyber/InfoSec. My hope is that this post will shed some light on the subject.
I’m not going to put any labels on this — like “this is good for a white hat” or “this language is great if you are in the Blue Team”, which I know other resources tend to do.
Rather than that I’ll be focusing on the languages that I’ve found useful to know and understand from my experience, reading online and simply by listening to people’s experiences. I’ll also try to give some good examples on books and other resources you can use to learn these languages from. The below list is in no way ranked and I think it’s important to realize that there are times when a certain language would be great and other times when it simply might not be the best tool for the job.
So rather than looking at this list as a be-all end-all resource, look at it somberly and understand that programming languages are tools in a toolbox. You could use a hammer to put a screw in a wall, but it’s not as effective as using a screwdriver.
Let’s get to it!
C
Pretty much every OS comes bundled with C and nearly all libraries and frameworks you will be dealing with are going to be built or partially built using C. Why? It’s a lean and efficient (when done right) language that can do basically anything from using socket-networking to do image-processing.
From an Info/CyberSec perspective this language is great to learn (some, or a lot) of because it makes you understand how certain ‘basic’ things work. It also makes it easier for you to understand how a specific exploit or tool works and how you can tweak it to do more for you.
C is used in a lot of software, but I usually see it used in embedded systems development and other low-level (where you are working close to the hardware, like network cards) programming.
Inherently most cryptographic libraries are based on C-code, so C would be a great bet if you want to get into cryptography!
Here is a great list of books from beginner to advanced. You really can’t go too wrong with StackOverflow!
C++
There is a great quote by Bjarne Stroustrup, the founder of the language (or library):
“C makes it easy to shoot yourself in the foot; C++ makes it harder, but when you do it blows your whole leg off.”
Basically you can think of C++ as C’s big brother on crack, meth and steroids all at the same time. It’s an absolutely fantastic language that I think everyone should at least learn some off, if only to understand just how difficult it is to work with and to appreciate the sort of people who work with it on a daily basis.
As mentioned above it’s built on the same source-code as C, with a bunch of libraries that makes C++ a lot easier to work with whilst still giving you the some of the sort of low-level access you would expect from C.
There are literally TONNES of good programs built on or using C++ for parts of it. One that pops out is nmap, a widely used tool that let’s you scan and enumerate a server.
C++ is used in many resource-constrained and performance-critical settings like on e-Commerce servers and in stock applications, so anything that needs to be quick and safe.
Here is another great article with some good examples of books if you want to learn C++. I’d stay away from the C++ primer if you are a complete beginner. I’ve got it at home but whenever I pick it up for some references whenever I am programming something I find that I feel even more confused and like I know a lot less than when I initially picked it up. It’s a fantastic book, though — you just need to have some prior knowledge of C++ or other languages.
Python
God, where do I even start? I LOVE this language.
If you are new to programming and want to pick it up as a skill, then I’d suggest starting with this language. Not only is the syntax very easy to understand (when you get past the friggin’ indentations), but it also has a seamless amount of libraries to do basically anything you would want to do.
You can do anything from multi-threaded programming to use its libraries to send TCP-packets to machines. The potential of the language is further increased by how easy it is to interface C-code into it, which combines the development speed of Python with the efficiency of C.
Python is also widely used when performing crypto- and malware-analysis. So if you want to work with that, you should have a look at Python! (I know, it’s awesome!).
In the case of learning Python I’d suggest looking up this website and use it together with the python docs. When you have a solid foundation and written one or a few medium-large programs I’d suggest getting a copy of Violent Python as it has a lot to teach. It’s mainly geared to the offensive security side of things, but if you understand how the offensive side thinks, you can use that to build defensive scripts too!
Trust me, if you don’t know this language — you should!
Bash
Bash is a great scripting language to pick up in case you are mainly on a Linux OS (or if you are using ‘Bash for Windows‘).
From my own personal perspective it’s a great tool to use when penetration testing as it usually comes bundled on most of the machines I’ve attacked, meaning I can easily send over a script that could automate processes that I need to perform (like cleaning logs).
I’d suggest people who are unfamiliar with Linux to learn some of the language as it would not only help with automating menial tasks, but also most likely will introduce you to new commands.
Here is a link to TLDP that introduces beginner-intermidiate concepts to scripters.
JavaScript
I know, some of you might be scratching your heads now, but bare with me.
You simply can’t go anywhere nowadays where you aren’t at least seeing something made in JavaScript, meaning it’s important for us to at least understand the basic fundamentals of how this language works — regardless of if we want to use it for exploits or if we need to harden our system.
It used to be that JavaScript was mainly a client-side language (meaning that it executed code on the guest system rather than on the server), but nowadays we see it both on the server and client-side of things.
This means that (depending on your mindset) there are double the amount of potential exploits or double the things that needs to be hardened.
So what do you actually do with JavaScript? We mainly see JavaScript used on our browsers or on webservers. Some common frameworks (as of 16/02 -17) are NodeJS, AngularJS, ReactJS, jQuery etc. The first (NodeJS) being a server-side framework that allows you to create APIs to transfer data from the server and the three other are mainly client-side with their own individual strengths and weaknesses.
The reason to learn this language is simple: It’s used everywhere, so knowing it is always going to be beneficial to you — regardless of what your purpose is. In addition to it being used everywhere it is also very easy to pick up, so even if you are a beginner you will easily learn how to use the language for basic things like displaying text on a webpage.
Here are some good resources to pick up the language. As the title says it’s for beginners who wish to learn the language in a short period of time.
Proprietary scripting languages
This includes all languages of various networking vendors like Cisco.
These languages would mainly benefit you if you are working with their respective hardware. Like if you were working with the Cisco IOS you would be working with TCL to automate things.
I’ve got extremely limited experience with these sort of languages, and all I really can say is that knowing these scripting languages would benefit you if you are going to be working with a certain specific type of hardware or a particular type of network and its security.
I know there are a bunch of other languages that I’ve missed (Ruby, Java etc) and I do realize many of you might disagree with me placing JavaScript in the list. But I do believe it is getting more and more important for us to at least have a basic understanding on how that language works simply because it is everywhere.
I hope this proves to be a decent list and helps some of you all out in your quest of learning about programming language’s part of Info/CyberSec.
As I mentioned earlier, look at these languages as tools in your toolbox rather than a silver-bullet.
If I missed any important languages, feel free to message me!
Originally published at Acorn Aspirations.