90% of your security problems are related to bad code, somewhere down the line.
And being a paranoid type, and a bit of a worrier about THINGS, I fear we’re losing some Kung Fu. What does the next generation of security folks look like? From what I can see, they’re even LESS inclined to code. This, in my opinion, is a problem. The 2011 Verizon DBIR mentions malware and hacking, all of which usually comes down to a patch, a flaw, a vulnerability. A piece, or pieces, of bad code. The number of Web application-related flaws is going up and up, particularly XSS (SQLi is steady, even down a slight bit, yay). We need to understand code, period. Here’s a few reasons why:
- Your organization’s developers need help. Think convincing the rank and file of your organization that security is important? Coders are under WAY more pressure to deliver projects in many cases, so security almost always takes a back seat. Help them.
- You need to understand what vulnerabilities mean, and what exploits are doing. That may include a bit of code.
- You need to crank out some scripts, or write a few simple programs, during security assignments (particularly pen tests).
These are just some ideas to get you started. But if you’re one of those security folks that routinely convinces yourself that you don’t need any coding skills, you really need to develop some. This is, in fact, a career development thing. Forget that latest shiny vendor widget. Learn some fundamentals. Here’s a few suggestions to get you started if you are new to this, or maybe even just rusty:
- Teach Yourself C++ in 24 Hours: This one is a great refresher if you’ve been away from code for awhile. Or a good intro to object-oriented programming.
- Python Programming for the Absolute Beginner: A *great* start in Python. A little basic, so you’ll want to expand, but this is hard to beat for beginners.
- Programming Python: Once you’ve finished the first two, get this. It rocks.
- Classic Shell Scripting: A killer fundamental book on shell scripting. Comes in handy a LOT.
- Wicked Cool Shell Scripts: They are, in fact, wicked cool. More importantly, you’ll learn to think outside the box. And that counts a LOT in security.
There’s plenty more. I have books on Ruby, Perl, and lots of other languages. Pick one you like! These are just some that are easy to work with and may help you ease back into the world of programming. I, for one, am not a talented programmer, and never claim to be. But I can pull it off, and I *get* code. There’s a solid chance you need to, as well.