Programming language for network security

Question

I am working as a tester now. I am planning to move to the domain of security such as a CEH or CISSP. But many say that to be a great hacker you need to know at least one programming language well. I already know a bit of Java. But I just wanted to know which language is closer to network security and related domains. So what kind of language should I be learning so that it would be helpful for me to move to the domain of security?

Answer 1

There is no defined blueprint on what is the best language to learn. Therefor I would like to mention two good alternatives that I (and many otheres) think is a good languages to learn in computer security.

LUA

Explanation of Lua from wikipedia: Lua is a lightweight multi-paradigm programming language designed as a scripting language with "extensible semantics" as a primary goal.

The reason I mention LUA is a good language to learn is that it is the scripting engine for MANY popular security tools. This is a very good reason alone to learn this language. Some of the langauges include:

• NMAP (Network mapping tool)
• Snort (Open source IDS)
• Wireshark (Packet sniffing tool)
• Vim (Very popular unix text editor)
• Cisco ASA (firewall, IPS, VPN)
• Network services tools (Apache, lightHttpd, FreePop)

On a side note: Even Blizzard major hit World of Warcraft has support for LUA scripting inside the game :) To whomever that may be relevant to.

Python

I am a bit biased on Python after I've started reading the book "Gray Hat Python: Python Programming for Hackers and Reverse Engineers". I agree with many of the points from this book why it is good to learn this langauge for a hacker (commonly known as security specialist :)).

Quoted from Amazon Python is good language to learn because:

it's easy to write quickly, and it has the low-level support and libraries that make hackers happy.

It is also very comfortable to be able to interact on the fly with the interpreter in your Python shell.

Edit: Graphical view of HackerNews polls on favorite/ disliked programming languages:

Edit 2: From Digininjas poll:

Language    Number  Percentage
Python  245 81%
Bash Scripting  241 79%
Ruby    127 42%
C   123 40%
Windows Powershell  111 37%
Batch Scripting 108 36%
PHP 107 35%
C++ 66  22%
Java    65  21%
Perl    57  19%
Other   57  19%
VB  29  10%
C#  26  9%
Lua 23  8%

Answer 2

There is not that sort of connection between programming languages and security, what might be a better way of looking at it is to learn common languages (so java would be a reasonable starting point) as all languages have security problems - you might as well look at security problems on a wide range of web applications and platforms rather than something esoteric.

Understanding network protocols is a good idea, and being able to analyse traffic at layers 1 - 4 can help, but this is broadly language agnostic.

have a good read of the other questions tagged Professional-Education for wider guidance.

Answer 3

Some parts of network security involve fiddling with the small details of TCP/IP packets as they are sent and received; to do that, you need to be able to intercept packets at a low level, and emit handcrafted packets as well (under Linux, for instance, this is known as using a SOCK_RAW socket). Not all programming languages provide usable API for that; knowledge of C is sometimes required to use these features.

Apart from that, any versatile programming language which has no trouble receiving and sending arbitrary bytes will be good for you; Java is fine in that respect.

Answer 4

Note: I realized this is very biased towards systems and away from generic security. Security is a process and involves more than technology.

There are two routes you can choose from and unfortunately (IMHO) neither include Java.

C is a very good systems language. You can work with unix and linux and dig down close to the metal -- system calls, kernel space, low level networking, etc.

The other route is a scripting language that allows you to quickly glue together tools and program at a higher level. Most scripting languages like perl, python, and ruby will give you access to socket level abstractions. I'm biased for python, because you can easily write C modules for it if you need performance or low-level access.

Now to address the falsehood in your question...being a great hacker transcends programing languages. Being a great hacker is a state of mind. It incorporates questioning everything and being able to creatively solve problems. If you can do this, you will learn the languages you need to because you will be self-directed towards them.

Answer 5

You really can't learn languages in order to learn security. Most security problems are much more subtle than that. The one exception to this is SQL queries: at some point, you really need to understand the difference between combining strings and parameterized queries. But SQL queries are built using another language, whether Java, PHP, Ruby, and so forth.

But you do need to understand scripting languages. You need to write your own tools, and customize existing tools. Good scripting languages to learn include JavaScript, PERL, PHP, and Ruby.

You've already started with Java, so I suggest you continue learning Java. Learn how to use Java on the webserver for building webapps with an SQL backend. Learn how to use Java to create simple command-line programs.

Once you've got some experience actually writing code in any language, start branching out to other languages. A good next step would be JavaScript. JavaScript can be used both on the server to create webapps, and on the command-line. But most importantly, you use it within the browser, so it's the one language you sorta have to learn.

Java and JavaScript use a syntax similar to C. It's a good idea to familiarize yourself with the difference with other C-like languages, namely C, C++, C#, and PHP.

Answer 6

I agree with a lot of what's been said above. In particular, though, I'd like to emphasize Ruby's importance somewhat. In my mind, Ruby is a great "hacker" language for a few reasons:

1. (Subjective) It's a beautiful, clever, and expressive language, which makes it possible to hack out quick-and-dirty solutions to problems in short order.
2. Metasploit is written in Ruby
3. Ruby's gem library is vast and powerful, which, again, makes it relatively easy to solve problems quickly.

Answer 7

I highly recommend nmap, socat, lft, and curl when learning any network security related Unix commands. There's often little reason to reinvent these wheels.

OpenVAS supports a network security specific script language called NASL, although it originally comes from the Nessus tool, where NASL was based on CASL (from the Network Associates' CyberCop Scanner).

Many HTTP/TLS fuzzers have added support for things like Web Services and other powerful programmatic controls. The cool ones I've seen lately are resty-burp, buby, wXf, and shrapnel.

Utilizing some kind of packet capture app is also useful, whether it be tcpdump, snort, Wireshark, Network Miner, or HTTP Scoop.

Many consider Lua, Python, and Ruby to be considerably better for short-term and interim network security projects than any other languages, although the DSLs described by Metasploit, wXf, and watir-webdriver make for an interesting case to support Ruby MRI and JRuby over others. Reversely, Lua does have a lot of support for filter based technologies, such as Wireshark, mod-security, and snort (PCRE is also very commonly found in these technologies).

In summary, if you are going to be modifying any code from network security projects, you are more likely to be shelling out to a C program, but calling a library or framework extension written in Ruby, Python, or Lua. If your focus is on sending traffic (especially HTTP or exploits), Ruby is a best bet -- but if your focus is on receiving traffic (especially IDS or packet capture), then Lua is a best bet. For just general learning, I've seen dpkt in Python do some amazing things very quickly during a prototyping phase.

Check out the book, Coding for Penetration-Testers for further reference material.

Answer 8

I have been doing systems development for years starting with Basic and Cobol, then dBase III+, VB6, Asp.Net using Access, and SQL Server. I am also a CISSP.

I think he should learn assembly language. Though it may sound irrelevant, it will give him a strong foundation in reverse engineering and also help him to understand the basis of C, C++ etc. When source code is not available, then after reverse engineering what you will have is assembly.

Answer 9

Contrary to one of the answers, for security, Visual Basic 6.0 is just one of the preferred languages. Just two days ago I saw a professional network scanner posted on facebook (komodolabs.com/network-scanner-news/). Malwarebytes and many antiviruses are a mix between Visual Basic 6.0 and the assembly language ... so, Visual Basic 6.0 (but not VB. NET) is a favorite.

Visual Basic 6.0: A giant more powerful than ever