Programming languages? - question for security people

J0eJ0e Member Posts: 45 ■■□□□□□□□□
What programming languages do you guys/girls know and how well?
Just curious icon_wink.gif , planning to go the security path!
My icon_idea.gif was to start with Perl and then... icon_scratch.gif

Thx icon_wink.gif

Comments

  • JDMurrayJDMurray MSIT InfoSec CISSP SSCP GSOM GSEC EnCE C|EH Cloud+ CySA+ CASP+ PenTest+ Security+ Surf City, USAAdmin Posts: 12,673 Admin
    Learning to program is an excellent supplement to learning information security. What programming language(s) you lean depends on what you want to do in InfoSec. Many system security tasks are performed using scripting languages (JavaScript, VBScript, Perl) and shell programming. Reverse engineering and vulnerability assessment (hacking) relies on the knowledge and use of C and x86 assembly language. And although security tools can be written in any language, C++ is the most popular, C# is great for (only) Windows, and Java is the most portable between hardware platforms and operating systems.

    Hey, if this thread gets a lot of good responses I'll make a TE blog article out of it.
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    What's your background in programming? Perl's awesome, but it can be a lot to take in for a novice. Python is easy to learn and can be used for pretty much any application. You might want to consider starting there if you're a beginner.

    Personally, I know PHP and Javascript very well, and I have varying degrees of skill with C++, C#, Perl, Python, and VB. After you develop a solid foundation, and you can transition to other languages fairly easily.
  • seuss_ssuesseuss_ssues Member Posts: 629
    For security linux is my platform of choice. The number of available tools, compilers, etc is outstanding. With that being said i find it very useful to know bash scripting and C.
  • coffeekingcoffeeking Member Posts: 305 ■■■■□□□□□□
    I am relatively new to InfoSec, preparing for Security+, but I had no idea if one would need to learn any programming languages to make it in InfoSec. Is it the same for Cisco guys?
  • J0eJ0e Member Posts: 45 ■■□□□□□□□□
    dynamik wrote:
    What's your background in programming? Perl's awesome, but it can be a lot to take in for a novice. Python is easy to learn and can be used for pretty much any application. You might want to consider starting there if you're a beginner.

    Personally, I know PHP and Javascript very well, and I have varying degrees of skill with C++, C#, Perl, Python, and VB. After you develop a solid foundation, and you can transition to other languages fairly easily.

    None background in programming, started C# a couple of weeks ago because need to do some calculations for a college course, that was my first "touch" with programming.
    Have really no interest in C# right now, my focus is more on scripting languages like Perl and Python that could help me when I get a sysadmin job icon_study.gif to solve some tasks faster and better and then transit to security :) ! What language is "easier" icon_rolleyes.gif Perl or Python(+ dynamik) to start with?
    Thx guys :D
  • undomielundomiel Member Posts: 2,818
    Granted I had dabbled in C/C++ and x86 assembly on and off but not seriously prior to this, but when I learned Perl (weekend long crash course to fix a very critical problem) I found it to be a fairly easy language to grasp. I can't comment on Python though as I have never touched that.
    Jumping on the IT blogging band wagon -- http://www.jefferyland.com/
  • Gennosuke HIGAKIGennosuke HIGAKI Member Posts: 68 ■■□□□□□□□□
    I have experienced both compiled ones and interpreters, though, I am good at the latter Web based perl, php, asp, and JavaScript. I am learning C# now to step into .NET world.

    From my experiences, if you were really security oriented, I recommend shell programming first, say, bash or C shell in Linux. These are essential and helpful in using Linux and Cisco IOS. Then, perl. Perl is mighty and applied in both edges, right and evil. Interpreters are generally easier and useful in various real aspects.
  • SchluepSchluep Member Posts: 346
    I have experience writing in or editting FORTRAN/Fortran 95, ASP.NET, PHP, and C. I'll be honest, my programming skills are falling a bit behind since I haven't been using them as much lately and I'd be a bit slow writing in any of those languages at this point.

    From a security perspective I definitely plan on picking up Javascript and assembly as well as practicing up on my C again at some point.
  • shednikshednik Member Posts: 2,005
    JDMurray wrote:

    Hey, if this thread gets a lot of good responses I'll make a TE blog article out of it.

    Do it! you haven't written in awhile anyway if I'm not mistaken.

    slacker icon_exclaim.gif:D
  • BigToneBigTone Member Posts: 283
    among the microsoft certs I plan on taking in the near future Linux and security are really poking my brain and something I want to learn... but as I said on a different forum java scared me in college....

    Other responses I've heard that are good for security/ethical hacking (and these responses were echoed in this thread) are bash/perl/scripting languages and a little C couldn't hurt eh? icon_lol.gif


    I third the blogging on programming in security. I'd love to read it.
  • keatronkeatron Security Tinkerer Member Posts: 1,213 ■■■■■■□□□□
    Right now in the field I'm doing a lot with 86 assembly and a TON with Python. Everything from log parsing to cloning access cards and tokens (the swipe cards you use to enter a secure facility). Somebody discovered that ripping the data from these devices (if you get close enough or have a strong enough antenna attached to a device tuned to the right frequency), is pretty trivial. And Python is the best way I've found to parse the data pulled from these cards and burn it to a blank card. End result. Stand next to a guy in the elevator. With your ripping device hidden in your coat, stand as close to him as possible, you hear a beep in your pocket (or feel a vibration if you're smart), and you both go on your merry way. You go to your laptop, plug the device from your coat into your laptop via usb or serial, **** the data, run the correct Python script which puts the data back in the format it needs to be in (because it **** like garbage when you do a brute force copy like i described above), burn it to a blank card (preferably the same vendor as the one you cloned from the guy in the elevator), and just like that, you're that guy. You can get into any building or room he can. Obviously there are some small details I left out, but I think you get the point. My penetration success has gone up tremendously since I borrowed this idea, technique and equipment from Adam Laurie at Blackhat last year. If you wanna know more go to rfidiot.org. You'll see that all of his example scripts are Python.

    I'm officailly in love and getting married to Python~~
  • J0eJ0e Member Posts: 45 ■■□□□□□□□□
    @JDMurray: that would be icon_cool.gif
    @coffeeking: If you wanna do it seriously I think you should know at least 1 icon_thumright.gif
    @keatron: nice post, did some additional resource and I'm very close to chose Python this sentence got me "can be learned in a few days"* icon_wink.gif
    wish you a long and happy life with Python icon_cheers.gif

    *python.org icon_wink.gif
  • livenliven Member Posts: 918
    I would like to put my 2 cents in for:


    Perl
    C


    I learned C first, and it has made learning, bash, shell, PHP, ruby, perl, java and other MUCH easier for me...

    But I am sure you could make that argument for just about any language. I think the fact that I learned C in school and was forced to do a lot of things that I would never have done made me really "learn" C. Which gave me a solid foundation for programming in general...

    Once again "just my 2 cents".
    encrypt the encryption, never mind my brain hurts.
  • JDMurrayJDMurray MSIT InfoSec CISSP SSCP GSOM GSEC EnCE C|EH Cloud+ CySA+ CASP+ PenTest+ Security+ Surf City, USAAdmin Posts: 12,673 Admin
    shednik wrote:
    JDMurray wrote:

    Hey, if this thread gets a lot of good responses I'll make a TE blog article out of it.

    Do it! you haven't written in awhile anyway if I'm not mistaken.

    slacker icon_exclaim.gif:D
    Check again--we now have a new virtualization forum and an announcement blog article.

    I'll do some research in the use of programming in InfoSec and write a blog article. I've got an idea of the major topics, but I need to find some more real-world examples.
  • shednikshednik Member Posts: 2,005
    JDMurray wrote:
    Check again--we now have a new virtualization forum and an announcement blog article.

    I'll do some research in the use of programming in InfoSec and write a blog article. I've got an idea of the major topics, but I need to find some more real-world examples.

    Yes just moments after I posted that I saw your new blog posting...oh well you should still do the write up I think a lot of people would benefit from it.
  • JDMurrayJDMurray MSIT InfoSec CISSP SSCP GSOM GSEC EnCE C|EH Cloud+ CySA+ CASP+ PenTest+ Security+ Surf City, USAAdmin Posts: 12,673 Admin
    keatron wrote:
    Stand next to a guy in the elevator. With your ripping device hidden in your coat, stand as close to him as possible, you hear a beep in your pocket (or feel a vibration if you're smart), and you both go on your merry way.
    keatron, you really need to change your avatar to Maxwell Smart. icon_wink.gif

    get_smart2.jpg
  • SchluepSchluep Member Posts: 346
    JDMurray wrote:
    keatron wrote:
    Stand next to a guy in the elevator. With your ripping device hidden in your coat, stand as close to him as possible, you hear a beep in your pocket (or feel a vibration if you're smart), and you both go on your merry way.
    keatron, you really need to change your avatar to Maxwell Smart. icon_wink.gif

    get_smart2.jpg

    I never knew that little red x had a name. I'll be sure to address him properly from now on.
  • SlowhandSlowhand MCSE: Cloud Platform and Infrastructure / Core Infrastructure, MCSA: Windows Server 2003/2012/2016 Bay Area, CaliforniaMod Posts: 5,161 Mod
    I can't give recommendations on full-scale programming languages, (except the C/C++ and assembly language, that goes without saying,) but I do agree with the comments on scripting. For security admins, scripting is key, so for the Unix/Linux guys Bash is the way to go. And, for Windows admins, I'll tell you what I was told at the Server 2008 launch event yesterday: learn PowerShell.

    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
  • livenliven Member Posts: 918
    JD,

    as a professional security admin, I will be more than happy to help with real world examples.
    encrypt the encryption, never mind my brain hurts.
  • JDMurrayJDMurray MSIT InfoSec CISSP SSCP GSOM GSEC EnCE C|EH Cloud+ CySA+ CASP+ PenTest+ Security+ Surf City, USAAdmin Posts: 12,673 Admin
    Slowhand wrote:
    And, for Windows admins, I'll tell you what I was told at the Server 2008 launch event yesterday: learn PowerShell.
    I've been playing with PowerShell for a year now and it's a cool concept with a lot of useful features. I use it quite a bit for playing with the WMI. It makes me wonder why something like PS wasn't written for the initial release of Windows Server 2003.
    liven wrote:
    JD,

    as a professional security admin, I will be more than happy to help with real world examples.
    Cool! I need examples of how certain programming languages are best used in specific security administrative situations. Perl or Python for log file processing, shell or device scripts for access control, security tools with scripting engines (Javascript, lua), etc.

    Whatever you can contribute will be great. :)
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    A very good book, Gray Hat Hacking has a chapter (7) entitled "Programming Survival Skills". As a matter of fact, chapter 6-11 have a lot on security topics related to programming in some way.

    Ch 6 - "Automated Pen Testing" has a good intro to Metasploit, which is really an exploit development environment.

    Ch 7 - "Programming Survival Skills
    Ch 10 - "Writing Linux Shellcode"
    Ch 11 - "Writing a Basic Windows Exploit"

    The whole book is pretty good, and IMO much better than the typical "Hacker" handbooks. As a matter of fact, Chapter 5 is actually titled "Beyond Hacking Exposed". It even has 2 chapters on reverse engineering.

    Definately a good buy to get a look at the role that programming skills play in security.
    All things are possible, only believe.
  • SlowhandSlowhand MCSE: Cloud Platform and Infrastructure / Core Infrastructure, MCSA: Windows Server 2003/2012/2016 Bay Area, CaliforniaMod Posts: 5,161 Mod
    JDMurray wrote:
    I've been playing with PowerShell for a year now and it's a cool concept with a lot of useful features. I use it quite a bit for playing with the WMI. It makes me wonder why something like PS wasn't written for the initial release of Windows Server 2003.

    They talked about that at the event in San Francisco. The Microsoft Learning VP said that they decided not to package PowerShell in with Server 2008 at launch because they didn't want to spring it on people before admins were used to using it. He also mentioned that he would feel more comfortable having people rely on PowerShell for their admin needs after the next major release, as it's still on version 1.0. He did say, though, that future versions of Windows (both server and client) would come with PowerShell as the main command-line environment.

    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
  • JDMurrayJDMurray MSIT InfoSec CISSP SSCP GSOM GSEC EnCE C|EH Cloud+ CySA+ CASP+ PenTest+ Security+ Surf City, USAAdmin Posts: 12,673 Admin
    Slowhand wrote:
    He did say, though, that future versions of Windows (both server and client) would come with PowerShell as the main command-line environment.
    Which is an odd thing to say because the upcoming PowerShell 2.0 has a new and beautiful GUI.

    Windows PowerShell 2.0 Community Technology Preview (CTP)
  • SlowhandSlowhand MCSE: Cloud Platform and Infrastructure / Core Infrastructure, MCSA: Windows Server 2003/2012/2016 Bay Area, CaliforniaMod Posts: 5,161 Mod
    JDMurray wrote:
    Slowhand wrote:
    He did say, though, that future versions of Windows (both server and client) would come with PowerShell as the main command-line environment.
    Which is an odd thing to say because the upcoming PowerShell 2.0 has a new and beautiful GUI.

    Windows PowerShell 2.0 Community Technology Preview (CTP)

    Honestly, if I understood how Microsoft's marketing department thinks, I'd probably be locked up in a rubber-room.

    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
  • bcairnsbcairns Member Posts: 280
    My $0.02 worth...

    Language really does not matter - what does matter is your end goal.

    The language is just a tool to help you in your goal.

    That being said here is my take on languages:

    C/C++ = low to high level programming, not much you can't do with these languages, and frameworks like QT4 make it super easy to do cross platform code.

    C#/VB/C++CLI = The Microsoft .Net Framework is great, I love C# - but it comes at the price of only being able to run on windows...there are hacks and work arounds (Mono) that allow it to run on linux, but I really don't trust them much for anything "mission critical". But there are rumors that MS will make the .Net framework run on multiple platforms in the coming years.

    Java/Python = the other VM languages out there all hold their own. Java has been around forever and has a ton of prebuilt classes in the API that you can use.

    In short, there is no "best" language - there is the right tool for the job. So plan on learning many languages.
  • SlowhandSlowhand MCSE: Cloud Platform and Infrastructure / Core Infrastructure, MCSA: Windows Server 2003/2012/2016 Bay Area, CaliforniaMod Posts: 5,161 Mod
    bcairns wrote:
    In short, there is no "best" language - there is the right tool for the job. So plan on learning many languages.

    I can't agree more with this statement. Every computer science/information systems professor I've had has said the same thing. The focus is to learn how to solve problems, not on syntax. Given, some languages are better suited towards different ends, some development tools are geared towards particular tasks and include specific languages, but the idea behind writing the code stays the same. That's the reason why most computer science curriculi include general "introduction to programming" courses, data structures & algorithms courses, assembler & hardware function classes, etc. You're taught to be a developer, to think like a programmer (read "mathematician"), it's up to you to pick the tools that suit your needs.

    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
  • JDMurrayJDMurray MSIT InfoSec CISSP SSCP GSOM GSEC EnCE C|EH Cloud+ CySA+ CASP+ PenTest+ Security+ Surf City, USAAdmin Posts: 12,673 Admin
    Slowhand wrote:
    You're taught to be a developer, to think like a programmer (read "mathematician")
    Actually, programmers think like logisticians. Mathematics is only one possible application of programming, albeit a very common one. I am living proof that a person does not need to be a mathematician to also be a competent and useful programmer.
  • SlowhandSlowhand MCSE: Cloud Platform and Infrastructure / Core Infrastructure, MCSA: Windows Server 2003/2012/2016 Bay Area, CaliforniaMod Posts: 5,161 Mod
    JDMurray wrote:
    Slowhand wrote:
    You're taught to be a developer, to think like a programmer (read "mathematician")
    Actually, programmers think like logisticians. Mathematics is only one possible application of programming, albeit a very common one. I am living proof that a person does not need to be a mathematician to also be a competent and useful programmer.

    That's a very good point. I think saying that programming leans heavily in the direction of problem-solving that's very similar to mathematics would have been a better statement in my earlier post. Either way, prepare to think more analytically than you ever have in your life, if you go down the coding-path.

    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
  • JDMurrayJDMurray MSIT InfoSec CISSP SSCP GSOM GSEC EnCE C|EH Cloud+ CySA+ CASP+ PenTest+ Security+ Surf City, USAAdmin Posts: 12,673 Admin
    Slowhand wrote:
    Either way, prepare to think more analytically than you ever have in your life, if you go down the coding-path.
    Yes, I agree with that 100%. It is one of the most mind-intensive professions ever invented by man. A perfect past time for intellectually-obsessive people.
Sign In or Register to comment.