RE: Programming skills for Pen Testers

My $.02 (what happened to the '¢' glyph on keyboards?)
 
It is better to have a good knack for spotting anomalies, thinking of unsual
interactions and combinations, and a mysterious, "artistic" ability to
follow intuitive hunches.

There is a different temperment to the usual pen/vuln-tester from either the
programmer or the QA tester.  It is probably not measurable.  

If you do not _really_ understand how computers work, how structures in
memory operate, how IP communication functions, and how code is written and
executed, you will have far fewer points to draw from.  It is always of
value to enrich this knowledge for the tester - but not to become _focused_
on the aspect of producing working code.

I agree that "quick and dirty" task automation requires decent to good
scripting.  Errors here can 'pollute' the target environment, and delay
testing or block otherwise exploitable conditions.  Also, if one is
replacing values in forms-submission, etc. then it is probably wise to know
what you are doing in the client-side scripting dialect! ;-)

--Jeremiah "rusty tester" Cornelius

> -----Original Message-----
> From: Shenk, Jerry A [mailto:jshenk@decommunications.com]
> Sent: Friday, February 10, 2006 8:06 AM
> To: johnny Mnemonic; pen-test@securityfocus.com
> Subject: RE: Programming skills for Pen Testers
>
> I wouldn't say that programming is a requirement...possibly a basic
> understanding of programming and if you're really honing in hard on
> something it would be handy to know that programming language.
> Pen-testing is really a lot of research and a log of trying different
> stuff.  If the environment you're testing is all based on MS SQL and
> asp, then your C or C++ isn't really gonna be as helpful (in that
> environment) as knowing how sql and asp work.
>
> -----Original Message-----
> From: johnny Mnemonic [mailto:security4thefainthearted@hotmail.com]
> Sent: Friday, February 10, 2006 12:42 AM
> To: pen-test@securityfocus.com
> Subject: Programming skills for Pen Testers
>
> ok we all know that in addition to good network, host and application
> security skills, programming in C is a pre-requisite for a decent pen
> tester
> or at least one who wants to write their own security tools or simply
> audit
> the open source code they use. My question is, despite their
> similarities
> should a pen tester be concentrating on C or C++ ? That's it!
>
> Thanks.
>
> _________________________________________________________________
> Get MSN Hotmail alerts on your mobile.
> http://mobile.msn.com/ac.aspx?cid=uuhp_hotmail
>
>
> ------------------------------------------------------------------------
> ------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on
> your
> website. Up to 75% of cyber attacks are launched on shopping carts,
> forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers
> are
> futile against web application hacking. Check your website for
> vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before
> hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> ------------------------------------------------------------------------
> -------
>
>
>
>
>
> **DISCLAIMER
> This e-mail message and any files transmitted with it are intended for the
> use of the individual or entity to which they are addressed and may
> contain information that is privileged, proprietary and confidential. If
> you are not the intended recipient, you may not use, copy or disclose to
> anyone the message or any information contained in the message. If you
> have received this communication in error, please notify the sender and
> delete this e-mail message. The contents do not represent the opinion of
> D&E except to the extent that it relates to their official business.
>
>
> --------------------------------------------------------------------------
> ----
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers
> are
> futile against web application hacking. Check your website for
> vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before
> hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> --------------------------------------------------------------------------
> -----






------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------