Penetration Testing mailing list archives
Re: Programming skills for Pen Testers
From: "Justin Ferguson" <jnferguson () gmail com>
Date: Tue, 28 Feb 2006 21:26:29 -0800
As I previously said when I originally replied, I completely agree, but I want to emphasize something here. Just like you said, how can you understand buffer overflows without understanding C/assembly, building upon that idea, each language has its own subset of security flaws, some which build upon others (i.e. C++ can have the same problems as C), and some of their own (C++ brings with it some of its own insecurities that don't exist in C), that said, its beneficial to learn and understand everything you can, How usefull overall it will be depends on your target audience. To elaborate further on the subject, figure that knowing about buffer overflows will help you find them, fix public exploits, and/or create your own exploits, but say your target is written in Java. While it may be technically possible for some misused section of the code to cause an overflow in the JVM, its not very likely. But some insecurity in the say the class loader causes private members to become accessible is more probable, thus here the buffer overflow knowledge wouldn't help where as an understanding of Java would. So all in all the point is, there really are 6 million ways to die, don't limit yourself to just one. If you really want to know the subject matter, sit down and learn it, but its not necessary, there is an entire industry of security personnel who know how to hit enter, they can run the programs you eventually write, and thus knowing how to write the program isn't necessary, but it sure helps. Also, because people distorted what I was saying last time, no I am not suggesting you sit down and try to audit the source for every program on a clients machine on their time, but it won't hurt to sit down and learn it on your own, it can only make you better at your job. On 2/28/06, Jeremy Saintot <jeremy () caramiel com> wrote:
Hello, Sure, programming does not inevitably take part of a pen-test. But don't you think some coding skills could be useful to perform certain tasks ? Not just talking about reading/patching/compiling an exploit or something found on the Internet, but sometimes you can use scripting languages such as Perl to automate some tests or other things... I think programming skills are not fully required, but at least recommended for a pen-tester. How can you understand buffer overflows if you don't know about C and/or Assembly ? What about applicative web vulns if you don't have any PHP/SQL/XSS skill ? As an answer, I would say that at least one compiled language (C) and one scripting language (Perl) are recommended and can be useful for a pen-tester if intelligently used. Regards, Jeremy Craig Wright wrote:Hello First just to get this in C programming is a good skill. C++ is also not bad to have. This said, what the hell is this doing in a pen test discussion. /* ** start rant */ How can anyone here honestly state that programming skills are needed for pen testing? An audit of source code is NOT a pen test. This does require coding skills - they are not the same thing and anyone who thinks they are is under a delusion. Are we talking "Vulnerability Research' or Pen. Tests? Do we all understand that they are NOT the same thing? If a business/organisation/etc is paying you for 20 hours of applied testing - I certainly hope that you are not going off on some ill conceived tangent and effectively taking their money without doing the service you have been commissioned for? Thomas is correct "Time is money - your customers money" - Do not forget this! Welcome to reality. There ARE time constraints. You are not paid to research every possible theoretical vulnerability or find a new buffer overflow in a Pen Test! No wonder businesses do not trust information security. No wonder the profession is not being taken as seriously as it should be. /* ** Rant complete */ Regards Craig------------------------------------------------------------------------------ This List Sponsored by: Lancope "Discover the Security Benefits of Cisco NetFlow" Learn how Cisco NetFlow enables cost-effective security across distributed enterprise networks. StealthWatch, the veteran Network Behavior Analysis (NBA) and Response solution, leverages Cisco NetFlow to provide scalable, internal network security. Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and Response Systems in the Enterprise." http://www.lancope.com/resource/ ------------------------------------------------------------------------------
------------------------------------------------------------------------------ This List Sponsored by: Lancope "Discover the Security Benefits of Cisco NetFlow" Learn how Cisco NetFlow enables cost-effective security across distributed enterprise networks. StealthWatch, the veteran Network Behavior Analysis (NBA) and Response solution, leverages Cisco NetFlow to provide scalable, internal network security. Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and Response Systems in the Enterprise." http://www.lancope.com/resource/ ------------------------------------------------------------------------------
Current thread:
- Re: Programming skills for Pen Testers, (continued)
- Re: Programming skills for Pen Testers intel96 (Feb 12)
- RES: Programming skills for Pen Testers 7978488 (Feb 12)
- Re: Programming skills for Pen Testers intel96 (Feb 12)
- Re: Programming skills for Pen Testers thomas springer (Feb 11)
- Re: Programming skills for Pen Testers pagvac (Feb 11)
- RE: Programming skills for Pen Testers Sahir Hidayatullah (Feb 11)
- RE: Programming skills for Pen Testers Shenk, Jerry A (Feb 11)
- RE: Programming skills for Pen Testers jeremiah (Feb 11)
- RE: Programming skills for Pen Testers Craig Wright (Feb 12)
- RE: Programming skills for Pen Testers johnny Mnemonic (Feb 12)
- Re: Programming skills for Pen Testers Jeremy Saintot (Feb 28)
- Re: Programming skills for Pen Testers Justin Ferguson (Feb 28)
- RE: Programming skills for Pen Testers Craig Wright (Feb 12)
- RE: Programming skills for Pen Testers Boogiebruva (Feb 18)
- RE: Programming skills for Pen Testers Boogiebruva (Feb 18)