> CISSPette (Viewer III) posted a new topic in Career on 08-14-2018 01:29 PM in

> Hey Guys, I'm trying to shift my career from IT Auditor to more of a true IT
> position. I currently have CISA and I'm working on CISSP.

Have you done any programming at all?

> Should I learn basic
> coding?

Well, there are too few security people who understand programming (and too few
developers who *care* about security), so I'd say yes.

> And if so, what coding language should I take?

I'd really like to say Logo, but these Python is probably your best bet.

> Am I better off taking a
> live course at a local university or should I try to self-teach via online
> learning sites?

If you haven't done any programming, a course might be good, since there is more
to programming than coding. But if you just want to learn the language, get the
system installed and grab a book or an online course. (Book is better than course.)

Programming books:
http://victoria.tc.ca/int-grps/books/techrev/mnbkpr.htm

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Under democracy, one party always devotes its chief energies to
trying to prove that the other party is unfit to rule--and both
commonly succeed, and are right. - H. L. Mencken
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/rslade

If you're working on your CISSP, it won't require that you know how to program, but it certainly doesn't hurt. 

 

If I had the time, I would love to learn Python as it is heavily used in the industry.  If you like the classroom environment, you take classes at the local college or possibly local chapters might have some additional resources.  Online, I would check out cybrary.it - the online cyber library!  They have a slew of free material.

 

Good luck!

Depends on where you see yourself in InfoSec. Coming from the audit (business side) of the house means you will likely gravitate to a more generalist type of role and less likely a super niche application security role. Still it is very helpful to be able to automate simple tasks, grep log files and all the other cool things we do.

 

For the CISSP unto itself? No. Most InfoSec people come from the infrastructure rolls with the next group coming from the administration side of the house. The later group generally has some basic PowerShell and VBScript experience but also tend to shy away from application security.

 

"Dev-types", particularly full stack developers tend to have "mad dev skillz" in comparison to the first two groups for obvious reasons and tend to be heavily found in application security and to a lesser extent risk management parts of the field. 

 

As far as I am concerned audit provides the best "last mile" training before a career in InfoSec as it provides the business reasoning behind security in the first place.

 

Programming and development are just one segment of a very large field.

 

 

I agree with what everyone here has posted.  Python is a great language to start with and will allow you to become familiar with the main concepts of programming and logic.  From there it really depends on what you want to apply your skills to that will determine which language suits your needs best.  In my experience, the most difficult part of switching to new languages is learning the differences in syntax.  It isn't as difficult as going from say, Spanish to Mandarin but more like switching from Los Angeles English to London English.   

 

I would also strongly recommend working through the book, "The Elements of Computing Systems" by Naom Nisan and Shimon Schocken...aka "Nand To Tetris."  This will walk you through the very basic concepts of logic gates all the way through machine code, assembly code, and ultimately programming your very own Tetris game.  I think it's valuable to know what is going on "under the hood" when programming.

Whilst any language would teach you something about programming, it depends what you're trying to get out of the effort.  You could look at the CSSLP before diving into a programming course, unless you have a lot of time on your hands.  Going through the OWASP top 10 and SAN top 25 common vulnerabilities would teach you something if you have some appreciation of programming.  It depends if you want to work in AppSec or in a more general InfoSec field.

 

Personally, after 15 years of software development, having used various Basics, Assembler, Fortran, Lisp, Cobol, Pascal, Delphi, ADA, C, C++, Javascript, Java, I'd just had enough of the development field.  Before dividing into coding, perhaps you should find a friendly pen tester to ask which languages and frameworks are worth learning and will most reward your efforts.

Coding always helps, always. But you have to be aware of what your goal of coding is before you start.

• To be able to understand developer concepts
• To be able to read and understand code
• To aid your primary skill
• A primary skill

When it comes to choosing a language there are three I highly recommend

• Powershell - Easiest to get instant value for if you are in a Windows environment.
• Python - Easy to write, limitless possibilities regarding the ecosystem, there is a library for everything.
• Go - Extremely versatile, more limited than Python regarding available libraries but you end up with a single binary with no dependencies for nearly any platform (Write on Windows, compile to Linux or Mac or however you like). It is also rather beginner friendly, not as much as Python but more that you can only write the code one way so reading other people's code is easier than in Python more often than not.

Well, I suggest to learn first of all Java and C#laguages (both, not only one), and the associated best practices. Even if courses are an advantage, the best thing to do is to practice the coding activity. So my suggestion is: start coding for fun. It helps you in facing the logic behind the best practices in security.

Hi Suzanne,

 

I hope you are doing well and would have started learning programming. I am a little late to see your post hence the delay in response. I would suggest learning Python as its one such language that is used for multiple purposes and fields such as (Data Science, System Administration, Automation, Testing, Security etc).

 

See if you can subscribe to https://linuxacademy.com/, here you will learn a lot about Cloud services from different vendors, Linux, Security and Cloud Security, Python for system administration and lot of other courses.