IT Security career without coding/programming knowledge

Prolifix

How essential to a cyber security expert is the ability to program/code in any of the major languages (C, Java, C# etc.)?

If I wanted to turn IT security into a long term, successful career, would my inability to gain an elementary grasp of any programming language be something that would seriously hold me back from advancement in this industry? Particularly if I wanted to do work associated with penetration testing and the whole red/blue team aspect of that.

The reason I ask is that after a number of years of trying to understand some of the more straightforward languages which most experts say are vital to the IT security field, like JavaScript (through FreeCodeCamp) and Java, I haven't been able to get a solid grasp of them. Ultimately this just comes down to me not being a natural "engineer" or technically minded. Only scripting languages like HTML are something that I find do-able.

TheFORCE

It will not hurt you not knowing how to program or how to code. It will help you more if you know some of the scripting languages to automate tasks, like Powershell, Python, bash etc etc. Be somewhat familiar with those and you will be fine.

636-555-3226

I've been in infosec for getting close to 20 years and I can't code for crap, but my jobs have never needed me to. All depends on what infosec path you want to take (I'm management). If you want to be red team/blue team then you do need to at least know Windows/*nix scripting.

To actually be good at it you're going to need to know at least Powershell and Python, too.

Powershell's something you should start picking up anyway since it's the bread and butter of Windows/Server administration at this point & going forward.

markulous

There was a thread recently on this. It just kinda depends on what you're doing.

Mitechniq

The reason most of these questions do not get many answers is simply that your question is very broad. IT Security covers 'ALL' domains, and you can land in several fields of IT that encompass Security. That means we all will have our funneled idea of what IT Security means. If there is, however, one suggestion I can make about programming is learning 'Python.' You will be a better system administrator by coding automation and better network administrator by coding network infrastructure, and there are several pen testing/ incident response tools based on Python modules. I now use Python with Boto to do several AWS configurations. The adoption of Python to several key components of IT is endless, and I think for non-programmers, Python has the best ROI of any programming language and will make you stand out from other candidates for an IT Security position.

goatama

If you want to Red Team, you need to be able to code. Period. You also need to be able to look at other people's code and know how to manipulate it to do what you want. If you want to Blue Team, you likely need to be able to do static code analysis, this means looking for vulnerabilities in code and explaining to the developer what they need to do to fix it. I'm not a "programmer", but I know enough about coding and programming to be able to do these things. If you can't grok Javascript on a basic level, you probably will not be able to Red Team at a mid to senior level. It's not just running tools, you have to be able to script things on the fly and understand how the application you're testing functions so you can fuzz it to exploit the vulnerabilities in the code. This requires a fairly decent understanding of various programming languages and their structures.

docrice

As a blue team guy, I can say that coding is more role-dependent. I don't read or write code, but it certainly wouldn't help in a more generalist sense. That said, at least some basic automation abilities (scripting) is important in the long-term otherwise it just ends up being inefficient manual labor.

cyberguypr

Mitechniq's point is right on the money. I always say InfoSec is like medicine. There's a myriad of specialties that you can pursue, some of them completely unrelated to others. I am also a blue team guy so I do not code anything. I do however user other people's scripts and modify them to suit my purposes.

gespenstern

I'm blue team/incident response type of guy and I do code. For the most part it is various automation Korn/Bash, cmd/bat, PowerShell code, occasionally js/vbs. A typical scenario is when your client gets hit with a sophisticated malware that no anti-virus vendor can detect. You have to do at least basic analysis, establish IoCs and write a script for detecting and cleaning it from the environment. It's impossible to do this type of job without being able to code.

In 90-s I also worked as a FoxPro developer and x86 assembly language developer, so I know how it works...

But yeah, it's not required, especially for management, risk assessment, GRC type of work. In this case you have to be proficient in frameworks, smooth talking and PowerPoint skills. But usually these type of jobs are for experienced pros that are hard to get into without prior low-level experience that often does involve coding...

C/C# type of thing is more of SDLC and big projects type of work, I'm not very familiar with it... just compiled really basic tools in visual studio a few times.

TechGuru80

If you want to be a pentester...eventually it will catch up to you if you can't automate and program. For most other aspects you might not ever need to program.

I would start trying to learn bash/powershell and go from there....maybe Python/C/C++. You won't have to be an expert but having some knowledge is helpful.

the_Grinch

Helps, but definitely not required.