cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Parthenon
Newcomer II

Coding Languages

Hey Guys,

I'm trying to shift my career from IT Auditor to more of a true IT position. I currently have CISA and I'm working on CISSP. Should I learn basic coding? And if so, what coding language should I take? Am I better off taking a live course at a local university or should I try to self-teach via online learning sites?

 

Any help/advice appreciated.

Thank you!

9 Replies
rslade
Influencer II

> CISSPette (Viewer III) posted a new topic in Career on 08-14-2018 01:29 PM in

> Hey Guys, I'm trying to shift my career from IT Auditor to more of a true IT
> position. I currently have CISA and I'm working on CISSP.

Have you done any programming at all?

> Should I learn basic
> coding?

Well, there are too few security people who understand programming (and too few
developers who *care* about security), so I'd say yes.

> And if so, what coding language should I take?

I'd really like to say Logo, but these Python is probably your best bet.

> Am I better off taking a
> live course at a local university or should I try to self-teach via online
> learning sites?

If you haven't done any programming, a course might be good, since there is more
to programming than coding. But if you just want to learn the language, get the
system installed and grab a book or an online course. (Book is better than course.)

Programming books:
http://victoria.tc.ca/int-grps/books/techrev/mnbkpr.htm

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Under democracy, one party always devotes its chief energies to
trying to prove that the other party is unfit to rule--and both
commonly succeed, and are right. - H. L. Mencken
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/rslade

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
James
Contributor I

If you're working on your CISSP, it won't require that you know how to program, but it certainly doesn't hurt. 

 

If I had the time, I would love to learn Python as it is heavily used in the industry.  If you like the classroom environment, you take classes at the local college or possibly local chapters might have some additional resources.  Online, I would check out cybrary.it - the online cyber library!  They have a slew of free material.

 

Good luck!

Beads
Advocate I

Depends on where you see yourself in InfoSec. Coming from the audit (business side) of the house means you will likely gravitate to a more generalist type of role and less likely a super niche application security role. Still it is very helpful to be able to automate simple tasks, grep log files and all the other cool things we do.

 

For the CISSP unto itself? No. Most InfoSec people come from the infrastructure rolls with the next group coming from the administration side of the house. The later group generally has some basic PowerShell and VBScript experience but also tend to shy away from application security.

 

"Dev-types", particularly full stack developers tend to have "mad dev skillz" in comparison to the first two groups for obvious reasons and tend to be heavily found in application security and to a lesser extent risk management parts of the field. 

 

As far as I am concerned audit provides the best "last mile" training before a career in InfoSec as it provides the business reasoning behind security in the first place.

 

Programming and development are just one segment of a very large field.

 

 

CraginS
Defender I


@rslade wrote:

If you haven't done any programming, a course might be good, since there is more
to programming than coding. But if you just want to learn the language, get the
system installed and grab a book or an online course. (Book is better than course.)

Programming books:
http://victoria.tc.ca/int-grps/books/techrev/mnbkpr.htm


Please take to heart Grandpa Rob's observation that programming is more than coding. Over several decades I have watched young coders who knew the coding language quite well totally screw up programs because no one ever taught them principles of programming, how to develop a program architecture, how to incorporate error checking and other protections. Much of the security mess we have faced for years has resulted from coders releasing code that worked when end user treated the program correctly, but failed, sometimes with serious security consequences, when a user accidentally or intentionally input unexpected content for a variable.

 

Good software is written by a team with architects and programmers at the top, telling coders what to write for the different modules in the overall program.

 

Class, who can tell us why we still have buffer overflow problems in commercial programs?  

 

As others have said, you do not have to know programming, or even coding, to pass the CISSP exam, or to do many of the jobs that a CISSP is called for, but it will definitely help you to understand basic principles of programming and how to implement them with a representative coding language like Python.

 

Good luck!

 

 

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
DAlexander
Newcomer III

I agree with what everyone here has posted.  Python is a great language to start with and will allow you to become familiar with the main concepts of programming and logic.  From there it really depends on what you want to apply your skills to that will determine which language suits your needs best.  In my experience, the most difficult part of switching to new languages is learning the differences in syntax.  It isn't as difficult as going from say, Spanish to Mandarin but more like switching from Los Angeles English to London English.   

 

I would also strongly recommend working through the book, "The Elements of Computing Systems" by Naom Nisan and Shimon Schocken...aka "Nand To Tetris."  This will walk you through the very basic concepts of logic gates all the way through machine code, assembly code, and ultimately programming your very own Tetris game.  I think it's valuable to know what is going on "under the hood" when programming.

Steve-Wilme
Advocate II

Whilst any language would teach you something about programming, it depends what you're trying to get out of the effort.  You could look at the CSSLP before diving into a programming course, unless you have a lot of time on your hands.  Going through the OWASP top 10 and SAN top 25 common vulnerabilities would teach you something if you have some appreciation of programming.  It depends if you want to work in AppSec or in a more general InfoSec field.

 

Personally, after 15 years of software development, having used various Basics, Assembler, Fortran, Lisp, Cobol, Pascal, Delphi, ADA, C, C++, Javascript, Java, I'd just had enough of the development field.  Before dividing into coding, perhaps you should find a friendly pen tester to ask which languages and frameworks are worth learning and will most reward your efforts.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
Elvar
Newcomer II

Coding always helps, always. But you have to be aware of what your goal of coding is before you start.

  • To be able to understand developer concepts
  • To be able to read and understand code
  • To aid your primary skill
  • A primary skill

When it comes to choosing a language there are three I highly recommend

  • Powershell - Easiest to get instant value for if you are in a Windows environment.
  • Python - Easy to write, limitless possibilities regarding the ecosystem, there is a library for everything.
  • Go - Extremely versatile, more limited than Python regarding available libraries but you end up with a single binary with no dependencies for nearly any platform (Write on Windows, compile to Linux or Mac or however you like). It is also rather beginner friendly, not as much as Python but more that you can only write the code one way so reading other people's code is easier than in Python more often than not.
Andy69
Newcomer III

Well, I suggest to learn first of all Java and C#laguages (both, not only one), and the associated best practices. Even if courses are an advantage, the best thing to do is to practice the coding activity. So my suggestion is: start coding for fun. It helps you in facing the logic behind the best practices in security.

nagarajan
Contributor I

Hi Suzanne,

 

I hope you are doing well and would have started learning programming. I am a little late to see your post hence the delay in response. I would suggest learning Python as its one such language that is used for multiple purposes and fields such as (Data Science, System Administration, Automation, Testing, Security etc).

 

See if you can subscribe to https://linuxacademy.com/, here you will learn a lot about Cloud services from different vendors, Linux, Security and Cloud Security, Python for system administration and lot of other courses.

Regards,
Nagarajan Viswanathan (Raj)