cybersecurity coding for a security specialist?

[AntiHero]

So im in a cybersecurity student, aspiring penetration tester and all that stuff. I have 2 important questions. First, I've gotten alot of mixed answers on this one, but what would you all consider the most important coding language for someone in my field to study to pick up? Second, and this is abit of an afterthought, security and ccna certs aside, what are some certs, or other fields of study to look into to benefit me?

[Sauron]

1 hour ago, AntiHero said:

what would you all consider the most important coding language for someone in my field to study to pick up?

C, assembly, bash and javascript are probably the most widely used but in general it's going to depend on what you work on.

 

Don't really know about US certs, sorry.

[DevBlox]

Can't advise on certs, but for languages Python is sure one of those I'd use for security. Just because it's easy to write up little scripts that do stuff on the web, exploits etc and has enormous support and library options to ease life. Then when it comes to OS security, you almost have to know C, if that's the route you're going, you'd need to be very proficient with it. Javascript, because everything on web is Javascript these days.

 

One more thing. Not really a language per se, but a framework for exploits. It's Ruby based, so you might want that too. I'm not too sure about using other languages with it. Edit: dummy me didn't list what it was - Metasploit

[AntiHero]

2 minutes ago, DevBlox said:

Can't advise on certs, but for languages Python is sure one of those I'd use for security. Just because it's easy to write up little scripts that do stuff on the web, exploits etc and has enormous support and library options to ease life. Then when it comes to OS security, you almost have to know C, if that's the route you're going, you'd need to be very proficient with it. Javascript, because everything on web is Javascript these days.

 

One more thing. Not really a language per se, but a framework for exploits. It's Ruby based, so you might want that too. I'm not too sure about using other languages with it.

So, regular Java, once i've completed the necessary course my major requires, would be wise to turn my focus towards Python, C, ruby and JS...? heard pearl is used too.

[Sauron]

16 minutes ago, AntiHero said:

So, regular Java, once i've completed the necessary course my major requires, would be wise to turn my focus towards Python, C, ruby and JS...? heard pearl is used too.

I'd say not to worry too much about it, once you know a couple of languages learning a new one is easy. Maybe start with Python and C so you get some idea of both high and low level languages. If you're in a university course you'll be shown at least a handful of languages anyway.

[DevBlox]

13 minutes ago, AntiHero said:

So, regular Java, once i've completed the necessary course my major requires, would be wise to turn my focus towards Python, C, ruby and JS...? heard pearl is used too.

Fundamentals! You'll probably use whatever you need to and whatever you're researching in security. If you're learning Java, don't drop it just because it might not be perfect for your field. But don't stick to it stubbornly either, learn how other things/languages work. You'll be more comfortable with everything else after you've gotten the fundamentals.

[AntiHero]

8 minutes ago, DevBlox said:

Fundamentals! You'll probably use whatever you need to and whatever you're researching in security. If you're learning Java, don't drop it just because it might not be perfect for your field. But don't stick to it stubbornly either, learn how other things/languages work. You'll be more comfortable with everything else after you've gotten the fundamentals.

From what i have been told the second level of Java they offer is more of the fundamentals just in much greater quantity, making your own reusable clients and APIs and such. So if my time would be better spent learning more languages rather then focusing on one that's what i'll do, sadly i am not made of time and money enough to do all of it.

[vorticalbox]

21 minutes ago, AntiHero said:

From what i have been told the second level of Java they offer is more of the fundamentals just in much greater quantity, making your own reusable clients and APIs and such.

that sounds like it should be the first level....

[AntiHero]

5 minutes ago, vorticalbox said:

that sounds like it should be the first level....

I mean we are using APIs and making clients to come back to to use, but from what i was told the big difference comes from the amount that goes into what we write, like 3-4x as much, and I'm sure new topics are covered, but, that maybe the reason the second class is CIS-111b and not CIS-112...

[Franck]

You need to know that (IIRC) over 60% penetration are coming from phishing email and second place come from physical access. Coding was way back toward the end of the line. It was given at a very good conference with head cyber security of HP Canada last April, It, was hosted by Cisco.

[vorticalbox]

21 hours ago, Franck said:

You need to know that (IIRC) over 60% penetration are coming from phishing email and second place come from physical access. Coding was way back toward the end of the line. It was given at a very good conference with head cyber security of HP Canada last April, It, was hosted by Cisco.

This comment is correct put also joining two techniques of penetration testing.

Social engineering is an extremely effective way to infiltrate a system not largely doesn't require any coding at all.

 

Where as breaking in using bug/vulnerability all programming is useful. The more you know about the system, the way it might be created etc. can give a great insight on how to break it.

knowing SQL for SQL injection attacks, html/CSS/JavaScript for XSS attacks, python for automating tasks such as crawling websites or SQL injection or running exploits, c/c++/c# are all good for writing exploits/malware etc.

Then there is networking for packet sniffing, MITM attacks, ARP poisoning, DDOS etc.

knowing your way around  a Linux box only using a terminal or know about windows powershell etc.

There is so much to know. So so much.

 

 

On 10/22/2019 at 6:51 AM, AntiHero said:

ccna certs aside, what are some certs, or other fields of study to look into to benefit me?

all certs mean now a days is that you sat in a class room for n amount of years, you really don;t need any certs you just need to prove you know what you say you know, open up a GitHub repo add some exploit codes, do pull requests to fix security problems in open source software.

[AntiHero]

10 minutes ago, vorticalbox said:

 

all certs mean now a days is that you sat in a class room for n amount of years, you really don;t need any certs you just need to prove you know what you say you know, open up a GitHub repo add some exploit codes, do pull requests to fix security problems in open source software.

I know and I wish that was true here... but if you done have that little ass piece of paper career based economic stability is a pipe dream  

[vorticalbox]

52 minutes ago, AntiHero said:

I know and I wish that was true here... but if you done have that little ass piece of paper career based economic stability is a pipe dream  

I guess though that are lots of people in info sec that didn't sit  a degree, malwaretech for example
 

[AntiHero]

Oh i believe it, but geographic location also plays a small part, well moderate part i think. There are a fair amount of companies over here that regardless of how good you are, you're not getting past human resources without the right credentials. I even have a family member that was let go for lacking their CCNA certs after being with company for 15 years; and this guy lives and breathes computers. He had to go back and get several certs cause finding a job, despite his bananas resume and skills, was proving impossible  

[wasab]

Probabaly assembly if you want to do malware analysis in a lab.

 

I suggest you focus on web security instead of software security. The latter is more complicated. As a reference, I had choices of computer security project in college. First one focuses on software security which involves writting a rootkit that hooks itself into the kernel. The 4th one is just writting a webcrawler that would craw the world wide web, looking for pharming websites, gathering their urls and gets a snapshot of the webpage.

 

Guess which one I picked? 

[wasab]

On 10/22/2019 at 8:31 AM, Franck said:

You need to know that (IIRC) over 60% penetration are coming from phishing email and second place come from physical access. Coding was way back toward the end of the line. It was given at a very good conference with head cyber security of HP Canada last April, It, was hosted by Cisco.

you forgot social engineering. Actually, phishing is social engineering as well...