0

It is evident that programming knowledge such as Python, C, or bash scripting is required for most cybersecurity jobs.

What makes it somehow mandatory to have knowledge in this area and how can it help?

Is this knowledge for customization and improving existing software?

schroeder
  • 123,438
  • 55
  • 284
  • 319
R1W
  • 1,617
  • 3
  • 15
  • 30
  • 2
    Note that there are 52 job *domains* within cybersecurity. Only some of them would be helped if the person knew some programming. – schroeder Oct 25 '19 at 06:37
  • @schroeder would you please provide your reference about "52 job domains"? – R1W Nov 15 '19 at 21:42
  • 3
    [NIST NICE Framework](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181.pdf) – schroeder Nov 15 '19 at 22:55

3 Answers3

10

Is programming knowledge mandatory for an Information Security job?

No, it's not. You can certainly become a pentester or a security architect by focusing your studies on these fields, with only minimal or no programming knowledge.

Does programming knowledge help?

Yes, it does. Because programming in turn teaches a lot about how computers work, and more informally, also how programmers work. This explains why some vulnerability classes still exist, even if they have been known for 20 years now.

Does every job include fixing or customizing software?

No. Pentesters generally don't fix software. They show vulnerabilities and make suggestions on how software can be fixed. Other Information Security jobs may indeed require such suggestions to be implemented, which then basically equates to "being a programmer", and thus requires programming knowledge.

Why do so many Information Security jobs require programming knowledge?

Because Information Security is a vast field, like mammals. Asking "Do Information Security jobs require programming knowledge?" is like asking "Are mammals dangerous?". The answer is, some are and some are not.

As mentioned above, some jobs may require you to do a lot of programming, and thus naturally they will require skills in those programming languages.

  • 2
    An other point: if you know how to program you can program tools or script that simplify or speed up your pentesting (or even just creating reports). Basically: it's a good skill for anyone using a computer for tasks that can at least partially be automated. – Bakuriu Oct 21 '19 at 19:17
2

Because those with the programming knowledge have a considerable edge over those without:

  1. Reverse engineering malware
  2. Understanding vulnerabilities in code
  3. Creating custom tools
  4. Writing custom exploits, etc.

Using automated tools is great, but unless you understand how those automated tools function, you'll never be able to level up.

But, you don't need to know how to write code to earn money with security knowledge. Bug Bounty is one way to know so much about security with almost no knowledge about programming. STÖK explains it perfectly in his "How to get started with Bug Bounty" video, check out 9:30 - 10:01.

Anders
  • 64,406
  • 24
  • 178
  • 215
s h a a n
  • 335
  • 1
  • 3
  • 14
1

It is useful for a security person to be able to make its own scripts.

Advanced programming should not be required because programming is software designer's job, not security person's job. If you impose a mix of the 2 as an employer you are making a big mistake because that person will spend insufficient time dealing with security.

So a scrip and a small program may help you in your security job but by no means you will be able to efficiently do high end security as a programmer. You will not ever have the time to do that.

Further, there are many security tools you can adapt in an easy manner with some basic scripting knowledge, so it makes sense to have a little skill in this area.

Overmind
  • 8,779
  • 3
  • 19
  • 28
  • 1
    In addition programming knowledge can be a valuable asset in code-reviews or for creating custom scripts for custom scenarios. Sometimes tools of the trade are just an overkill for a "certain" scenarios. – game0ver Oct 21 '19 at 12:07
  • I disagree with you, what you mentioned is different from what I experienced, it is mandatory, somehow for many tasks like automatic penetration test, network discovery and etc... you have to be able to make your own scripts. – R1W Oct 21 '19 at 12:40
  • 3
    Penetration testing is only a small part of overall security. People should stop considering it as the main part of it; it is not. – Overmind Oct 21 '19 at 12:47