Every one sayes to be in to computer Security you have to know programming.. is this true.
Printable View
Every one sayes to be in to computer Security you have to know programming.. is this true.
No it is not true. Programming would help, but you can be good at computer security without knowing how to program. Having a general Idea about it would be a good Idea.
Computer Security is very broad and it could be anything from a simple admin, to a penetration tester, to a forensics analyst..etc etc.
well everything starts at its foundations .. and the foundation for a secure program is secure programming :)
its more of a bonus i guess, great if you can but bypassable if you cant
Somewhat true ;)....that is if you want to secure a program....but what good does that do to you if you're trying to secure a computer from malware and hackers? :D Yes you can argue that hackers exploit an insecure program, but there's much more than that into computer security.Quote:
well everything starts at its foundations .. and the foundation for a secure program is secure programming
Programming is a good Idea, and it can open you more doors for employment and make you a bigger asset to a company, but it doesn't mean you "have to" know how to program in a particular language to be good at computer security.
i agree with you cybr1d i wasnt trying to imply that you have to know it or do it .. just saying it helps :)
if you pursue the hard core hands on security analysis & dissecting of malicious programs ( al la www.sans.org), programming knowledge will come in very handy.
the exploits i have worked on have usually been very simple stuff starting up from vaious batch files, exe's and registry entries buried all over a windows OS & NOS.
but - thats the easy ones. where the intruder does not go into great lengths to hide themsleves and what they did.
the more experienced guys tell me that there are much more complex and sophosotocated intrusions where it's very difficult to diagnose because intruder went into great effort to hide. i have not worked or seen a system with that compromise yet. but i hear it's much more challenging that the stuff i worked on.
The key to computer security, for both sides, is understandinghow the system works at its most basic levels. Programming experience helps, but it is not necessary. The thing is, when you are a programmer, you tend to understand software/OS interactions at a more basic level.
secure_lockdown, there is nothing wrong or less advanced (figuratively speaking) about a script based attack. Many of the "best" exploits are nothing more than scripts.
yea like everyone is saying its helpfull but not required...i say learn it anyway.....give you a chance to broaden your mind and learn more....
As mentioned, it all goes down to the definition of "computer security expert" and/or
you interests. Vulnerabilities as one example: Are you interested in exploiting vulnerabilites
that have been found (which is in principle possible without knowing programming,
however a bit of bashing is needed), or are you interested in finding new vulnerabilities.
The latter is difficult even if you have the source code (C/C++, [VB] mostly), and more difficult
if you haven't it (The knowledge of assembler then is a must. BTW: You can learn a
lot by comparing patched with unpatched systems ie dll, so, exe).
Another example: If you are interested in designing "secure" network topologies and/or
company process policies, you should know some RFCs, you have to understand the principles
of the OSs used in the company etc., hence progamming knowledge is not needed
necessariliy.
I recommend for a beginning: C/C++
If you are interested in assembler, I recommend nasm[1]. I would not start by putting
Assembler code into a C/C++ framework, since gcc (at least it was like that) understands
At&T syntax only, while usually assemblers are Intel syntax based.
But anyway: I agree with hexadecimal
Quote:
yea like everyone is saying its helpfull but not required...i say learn it anyway.....give you a chance to broaden your mind and learn more....
[1] http://sourceforge.net/projects/nasm
The fundamental answer has to be "no" as you said that the context was "SECURITY"
Security implies denial of access/attack?................programming is irrelevant in that context...........they can write them in all sorts of languages.........as already implied, I think that the real question has to be what area of security are you thinking of?
My thoughts
You need to be more specific about which area of security you mean. Security is a very broad subject and I would conclude it is unlikely that any one person could be an expert in all elements of security.
Programming is relevant in some but not all areas, as others have already highlighted.
Backing up your data is security related. Data has a value. No programming experience / knowledge required.
Business continuity / Disaster recovery planning is security related. No programming experience / knowledge required.
Physical access security. Programming??
I could go on, but you get my drift?
Look at the areas that security encompasses, then let the AntiOnline community know which areas you are interested in, and you will get a better idea of whether or not you need to invest time in learning to program.
In most areas of security, programming skills are not required, however, when it comes to analysis of specific threats you'll be lost without programming skills. Not too long ago I found an IRC bot that was unknown to the major vendors. Without programming skills I would not have been able to reverse engineer the bot, and thus, I would not have been able to provide details on how it works. Security is much like the medical profession. There are specialists in every area. Find your area and master it.
i actually started off with Networking skills. i took a course in Networking and it helped me a great deal in Network Security. i can pretty much understand some of the methods of breaking through a network without programming knowlegde. tho now i am taking Software Development and i have now insight on the Programming side.
u can say that the skills i accuired are just accessories to what i need to learn more about computer security. it is nice to have them but they arent really a pre-reqisite.
I mastered the art of craping in my own pants.
There is taking security measures and then there is consulting and stuff... as both a job and a profession. But doing that while being a Joe-Blow who can't code? Tisk tisk tisk... that doesn't sound to good. Hell I know guys who when they aren't either pluging a box in they are moving things around in an office and thats mostly what they do for a living... move cardboard and paper then maybe every other month plug in a few machines. Yet they can atleast make an executable in VB, im sure. I don't even really know anyone in tech-support who hasn't atleast made a few databases in C++ or VB.
But do you really know who usually gets a job without actually knowing one dang thing about computers? Its always people who end up in managment of course. Seriously, the less you know about computers the higher up they place you in the office. I only wish this where a joke. :)
lol ya kno, my former instructor once warned me about IT Managers... he said "they dont know any crap as much as you do, but you will still be their b*tch."
im not sure if this is true, coz my former manager was an ex-programmer. and he knows a great deal of stuff outside programming. ud say hes a 1-man army when it comes to IT stuff.
IT Manager bashing? ;) *hides*
An IT Manager of any type (security, project, whatever) doesn't need to how to code "hello world" in any language, however a good manager will know the strengths and weaknesses of relevant languages as well as their capabilities and typical development time. These are important for knowing what resources to put where and for knowing when an engineer is lying (which they do frequently) about required resuorces or scheduling.
Personally I took some Ada and Pascal back in school and then later Boyer-Moore and Gypsy, which couldn't even qualify as programming languages. I also picked up PHP for my personal web stuff, but never in my career have I been required to code line one.
But then I mostly deal with policies and risk management... I suppose it just depends on what aspect of security you wish to go into as everyone else stated... however you will need some programming for a CS or even MIS degree.
cheers,
catch
you actually don't need to be a super tech geek programmer network guru to be a IT mangler. it helps, but not needed because thats why you hire other people.Quote:
Originally posted here by TheSpecialist
I mastered the art of craping in my own pants.
There is taking security measures and then there is consulting and stuff... as both a job and a profession. But doing that while being a Joe-Blow who can't code? Tisk tisk tisk... that doesn't sound to good. Hell I know guys who when they aren't either pluging a box in they are moving things around in an office and thats mostly what they do for a living... move cardboard and paper then maybe every other month plug in a few machines. Yet they can atleast make an executable in VB, im sure. I don't even really know anyone in tech-support who hasn't atleast made a few databases in C++ or VB.
But do you really know who usually gets a job without actually knowing one dang thing about computers? Its always people who end up in managment of course. Seriously, the less you know about computers the higher up they place you in the office. I only wish this where a joke. :)
but you DO need to be able to function and fight turf battles with other managers that are constantly grabbing for the same limited co. resources and piece of the budget. that's how you ensure that there are job openings for junior IT guys in your dept.
:-0