Skip to main content

Success In Pentesting: Learn To Code

Success in Pentesting: Learn To Code White Oak Security blog image of a black background of a computer screen with programming and coding in multiple colors.

Cybersecurity is rapidly becoming one of the most sought-after areas of the job market. People from all walks of life have started to develop an interest in Cybersecurity, including fresh high school and college graduates, IT specialists who want to adjust their focus and deal with cutting-edge security issues, and even people in entirely unrelated careers. 

The topic of breaking into cybersecurity is a complex one involving debates about certificates versus formal college degrees, gatekeeping, and technical ability. This subject can be somewhat contentious. As a pentester by trade, I’ll speak from that perspective here, but many of the points I make are valid for other cybersecurity roles as well.

I’m somewhat biased toward formal education, in that I believe that it provides a better foundation on average than self-study alone. That said, I have seen firsthand that it’s entirely possible for self-starters with a strong drive to do exceptional technical work. With enough effort, self-taught learners can be just as competitive in the job market as anyone with a college degree.

There are substantial numbers of pentesters who are content with running an automated scanning tool and calling it a pentest. In my experience, this doesn’t provide the value to a client that a full pentest involving manual exploitation of vulnerabilities would. Anyone can run a vulnerability scanner with a minimal amount of instruction. Being able to understand exploits and exploitation at a detailed level is what differentiates a great pentester from a mediocre one.

How To Start?

When seeking a role as a pentester, thorough preparation is key. As mentioned previously, formal education is great, but so are various certification options. Spending time learning the craft is important and continuing to learn or gain experience is essential. Especially in such a rapidly evolving field. 

Trying to decide on what to study though, can be daunting. Pentesting covers a vast swath of technical areas and skills and trying to master all of these is impossible. One area of study which I believe has the most impact on a pentester’s day-to-day effectiveness is writing code. Writing code and being able to program can assist not only pentesters but really anyone involved in cybersecurity or any technical field. The ability to write software has been one of the most useful skills for me during my time as a pentester. It’s enabled me to accomplish workarounds or overcome obstacles where other testers who couldn’t code were stuck. Without question, it has had a dramatic impact on my successes in this role.

We’ve heard it as a common mantra in recent years: “everyone should learn to code”. While I don’t necessarily think that it’s in everyone’s best interest to spend the time to learn to code effectively, it can be an incredible asset to anyone involved in cybersecurity. 

Why Should I Learn To Code?

Learning to code is accompanied by a need to have a solid understanding of computer science concepts in general. You don’t have to have a Ph.D., but having a general knowledge of how computers and applications work gives you an advantage. That understanding will give you the insight to understand how newly encountered systems function under the hood and allow you to predict their weaknesses, enabling you to more easily exploit them. For example, let’s say you encounter an unfamiliar application on a pentest and see a verbose error message including a stack trace. Even if you aren’t familiar with the language being used, having an understanding of the underlying concepts gives you a distinct advantage over testers who don’t.

Another important advantage that writing code will give you is the ability to create your own tools. This can’t be stated strongly enough. It’s a game-changer to be able to construct a tool on the fly to accomplish a task you need to achieve, whether it’s on the blue side or the red side. If you can build tools that meet your needs and don’t need to rely on others for tooling, the opportunities are endless.

You also don’t need to rely on off-the-shelf code written by others for their own use-cases. If there’s no tool out there for what you need, you can build your own. If you find an exploit out there that works in some scenarios but not in your specific one? Modify it and make it work for you. Having knowledge of software development and coding gives you the ability to better understand how exploits work and why they work, as well as whether they’re safe to use in an assessment. While you’re not likely disassembling an exploit payload in every pentest, having that option is always helpful.

In addition to assisting in the everyday duties of a pentester, being able to write code opens doors to be able to contribute to the industry as a whole. People who release new tools and novel research in security tend to be well-versed in writing software. To be able to extend existing industry research or to start your own area of research is empowering and can help elevate a pentester’s career to the next level.

Coding Resources

Some may feel that coding is hard and are unsure how to do it or where to get started. Thankfully, there are lots of options to learn programming from which are free and easily accessible. Just a few of the many options are:

There are also plenty of free books and guides:

In addition to educational resources, there are places to try out simple code snippets and practice without having to set up a development environment yourself:

Some beginners say they lack the motivation to learn programming, despite all of these resources. In my opinion, the key is to find something fun you want to work on. Have some situations at work where a tool that performed some specific task would have been great to have? Build it. Needed to perform a red team assessment in an environment but existing C2 frameworks were being caught and Cobalt Strike was out of your team’s budget? Build your own. The key is to find passion projects where you are motivated to continue them.

Go Forth And Learn To Code

On a final note, for those trying to break into the cybersecurity industry, building out a portfolio of software projects can help you greatly when applying for new roles. Being able to show tangible evidence of your abilities and work ethic goes a long way to demonstrate your value to employers. Build some fun tools and if you see some problems that need solutions, even if they’re not cyber security-related, write some code to solve them. Through practice, passion projects, and problem-solving you’ll gather experience to support a well-rounded resume that exhibits your expertise.

Coding is a valuable skill to learn. Whether you’re someone trying to get into the cybersecurity industry or someone already in the industry that wants to take it up a notch, I highly recommend you take the time to learn it at least at a modest level. Not only can it greatly improve your skills, advance your career and make your life much easier, but also gives back to the cybersecurity community. 

More From White Oak Security 

White Oak Security is a highly skilled and knowledgeable cyber security testing company that works hard to get into the minds of opponents to help protect those we serve from malicious threats through expertise, integrity, and passion. 

Read more from White Oak Security’s pentesting team.