What Languages do I need to learn for CyberSecurity?

CyberSecurity, just like IT in general, is getting more software driven. Short of starting out as a developer, what should most CyberSecurity professionals know about software and languagues?

To start with you should know how software is constructed and how it is built as you will be inserting your processes into a software built process. It’s not necessary for a CyberSecurity person to be the master of any of these. But, you do need to the a “jack of all trades” so you can understand multiple attack vectors, threats and vulnerabilities in software and have a productive discussion with the developers.

I always think the place to start is C (https://en.wikipedia.org/wiki/C_(programming_language) and https://en.wikipedia.org/wiki/The_C_Programming_Language) (I’m giving lots of references to Wikipedia, because, contrary to some opinions, the articles on computer languages are well documented and good introductory material). Learn it as part of you university education or elsewhere. C is a strongly typed, compiled, fast, and objective language that will teach you how software should be written and often isn’t. It is also the basis of many of the languages below. It has been around a long time and there are plenty of examples and ways to adapt the methods in it to other problems (e.g. “Numerical Methods in C” or “Algorithms in a Nutshell”). If you get really good at it you can go to C++ (https://en.wikipedia.org/wiki/C%2B%2B), which is used in a lot of hardcore, calculationaly intensive projects to figure out things like risk. This will be especially useful for those specializing in application security.

If you are working in application security, you are also going to have to be able to speak in what the developers are working with. This means being able to hold a conversation with them about false positives and fixes. Again, C/C++ is a good foundation and used for large calculation projects. Java (https://en.wikipedia.org/wiki/Java_(programming_language) and Javascript (https://en.wikipedia.org/wiki/JavaScript) are used in a lot of web application development, which covers a lot of development projects. It also leads to a lot of vulnerabilities as java will run in a java virtual machine which isn’t always as locked down as it should be. You will need to also be familiar with source code repositories such as GIT/GITHub (https://guides.github.com/introduction/git-handbook/). The other half of the development world works with Microsoft, so you will need a passing familiarity with VisualBasic (https://en.wikipedia.org/wiki/Visual_Basic) and its processes.

One of the basic things you’ll need to do in any area of CyberSecurity over and over is collect, parse and process data to look for breaches. Excel will only get you so far. You will need to get shell scripting under your belt to collect the data. As a security admin you are also going to have to deal with putting your tools and processes on different servers. By shell scripting I mean csh/ksh/zsh/bash (https://en.wikipedia.org/wiki/C_shell) and something to get you onto Windows, like Powershell (https://docs.microsoft.com/en-us/powershell/scripting/overview?view=powershell-7). Once you get the data it will be in many incompatible formats, so you’ll need something to parse it and put it in a standard format. Your tools can’t do everything and when you are doing forensics you’ll have to be inventive. We used to use PERL (https://www.perl.org), but Python (https://www.python.org) has taken over that space and should be in your basic tool belt too. Python is something you are going to want to know well.

In CyberSecurity you are also going to have to deal with the cloud. You will need to be familiar with Terraform (https://www.terraform.io) and/or Anisible (https://www.ansible.com ) in order to build services in the Cloud. Jenkins (https://www.jenkins.io) or similar is often used along with the software repository like GIT/GITHub to orchestrate the whole software continuous integration, continuous development Agile process. You can use it to trigger your security scans based on software checked in by developers. Then, tools like Chef (https://www.chef.io/why-chef/?utm_campaign=ga_dg_search_brand_all&utm_source=google&utm_medium=cpc&utm_content=chef&utm_term=%2Bchef%20%2Bsoftware&gclid=CjwKCAjwnef6BRAgEiwAgv8mQVpJK2fvRv7LljY1PgnsHdLPTpuzFPyaEem2nYG5T0sXHCU6cCKGBBoCnowQAvD_BwE) and Puppet (https://puppet.com) are for software configuration management and deployment, so get to know them also.

Some of you will work in investment banks, which have mainframes. They are complex with a lot of processing power. This is where the books and records of the bank are stored so it’s the “pot of gold” that hackers are looking for. They run their own suite of software such as JCL (https://en.wikipedia.org/wiki/Job_Control_Language) to control process flows and Cobol (https://en.wikipedia.org/wiki/COBOL) and Assembler (https://en.wikipedia.org/wiki/Assembly_language) to run programs. Files are stored in a Time Sharing Option (https://en.wikipedia.org/wiki/Time_Sharing_Option) in EBCIDIC (https://en.wikipedia.org/wiki/EBCDIC), not generally ASCII (https://en.wikipedia.org/wiki/ASCII), and security permissions are controlled with TopSecret (https://www.ibm.com/support/knowledgecenter/en/SS42VS_DSM/com.ibm.dsm.doc/c_DSM_guide_CA_topsecret_intro.html ) or RACF (https://en.m.wikipedia.org/wiki/Resource_Access_Control_Facility).

It’s a lot to know. The best place I’ve found to learn are the O’Reilly books (https://www.oreilly.com) on these languages. But don’t get daunted starting out. That is why you start in security as an apprentice and lean on the older folks for knowledge that they have in their heads or posted on the Web. Remember what I said at the beginning: you aren’t going to be master of all these, you are aiming to get a broad “jack of all trades” knowledge of them.