Tuesday, March 20, 2007

Security: Programming and Digital Security

Richard Bejtlich responded to a question regarding whether it is necessary to know programming as a pre-requisite for security work. Rich gave the perspective of a security researcher who doesn't program. With his credentials, he is proof that enough that you don't.

However, I can offer a little different perspective, from a programmers point of view. When I worked for Rich several years ago, that was my first introduction to the realm of security from the other side of the fence. As a programmer, I had no real problem following along with his tutorials and assigned book reading about TCP/IP packets (yes, Rich actually assigned book work for our job, I think I was the only one who actually read any of it) since I had programmed socket based programs before. In reading about buffer overflows, I didn't have any problem since I was already very familiar with the problems that are common with memory management in C and C++. Understanding other bugs like Off-By-One, Out of Bounds, integer overflows, null pointers, and other programming headaches that can cause security issues helped in understanding exploits, how they are executed, and how they are written. Being able to read source code helped understand what code was doing, since most security code out there is very poorly commented. In understanding sockets and memory management, I was easily able to understand remote exploits. When I read the infamous Phrack "Smashing the Stack..", my background in ASM helped to understand how this worked and why.

My point of view on this question is, it is not necessary to have a programming background in order to be an effective security professional. A strong understanding of networking and networking technology, yes. An inquisitive mind and an investigative instinct, yes, at least in the NSM model. But is doesn't hurt to at least understand some fundamental programming concepts. Some basic scripting, whether it is BASH, Perl, or whatever is definitly a plus. So from my personal experiences, I can say its good to have, but not necessary.

1 comment:

Richard Bejtlich said...

Hey John,

Post a link to this story as a comment on my blog so my readers can learn about your thoughts.

Thank you.