There is an age-old debate in security: Should cybersecurity professionals know how to code? Should they invest the time and effort to learn?
The answer from cybersecurity professionals has usually been a resounding no. Their argument is that cybersecurity covers so much ground that it doesn’t make sense to expect every role across the security team to have coding skills. It’s time to change that outlook.
Having coding skills leads security people to a deeper understanding of their systems and applications—the value of computer science blossoming in front of their eyes. When you understand code, you get closer to the operation of the computer itself.
Remember, the cloud is just someone else’s computer. When you know how something works from the inside out, you open a new level of capabilities for applying your security knowledge.
There are different levels of proficiency when it comes to coding. As a security professional, you don’t have to be able to commit code at the same rate as your development teams. In fact, you don’t really have to do any coding on a regular basis. Just learning the fundamentals of a single object-oriented language gives you the ability to read code in many other languages. The object-orientation part is essential because most modern languages are based on this approach. Gaining an aptitude for reading code will carry you through what you need to accomplish most of the time.
To help you decide whether you should learn how to code, here’s a look at how coding skills enhance five different cybersecurity roles.
Application/software security lead
This one seems like a no-brainer. These security team members work day in and day out with developers, judging the activities they perform and offering advice.
Any app sec lead who lacks basic coding skills and knowledge is going to be out of their depth when working with developers. There’s no faking it; developers are good at discerning whether the security person they are working with has the coding knowledge and experience to offer a valuable opinion.
Coding value proposition: Learn to code to directly influence the developers you work with every day.
SOC analyst/threat hunter
Analysts and threat hunters spend their days watching incident data via a SIEM, hunting for the next anomaly in the data stream, and reacting and escalating appropriately. The keyword for them is “data.” They are always looking for ways to analyze the data better, and many times that is best accomplished by writing a script in Python. Python is an object-oriented coding language and lays the foundational knowledge to understand most other languages.
Coding value proposition: Learn to code to write better scripts, which will help you find adversaries across all your datasets.
The auditor role may be the most difficult to justify. Auditors spend their time assessing requirements and creating and executing audits based on organizational policies and governmental regulations. They inspect and assess large swatches of technology and interview many technical people. Some auditors even perform testing.
But any auditor would like to be able to tell whether people were withholding a portion of the truth. Enter coding skills. When auditors have a deeper understanding of computer science and programming, they ask better questions in interviews and better evaluate subjects’ answers.
Coding value proposition: Learn to code to unlock a superpower to help you ask and interpret better questions and answers about the things you assess.
Pen testers try to break things that others have created. But, of course, what they are trying to break is written in some form of programming language.
For pen testers, the benefits of coding knowledge are twofold. First, when trying to break something, you need to understand the intricate details of how it works, and you may have access to the source code to hunt for a vulnerability in the code before writing an exploit. Second, as a tester, you write your tools to achieve results.
Coding value proposition: Learn to code to level up your breaking skills; it is easier to find issues when you understand the underlying construction of the things you break.
One thing that chief information security officers have to deal with is the people who come in and out of their office all day long, either asking for money to buy new tech or explaining failures and what must change to avoid them in the future.
CISOs with some knowledge of code make better and more informed decisions. They can also better determine whether they are being told the entire story as they consider the best security path forward.
Coding value proposition: Learn to code to enable better decision making.
Ideas for how a security pro learns how to code
Perhaps you’re now convinced, and you’re ready to take steps to support your constituents by learning how to code. There are a few different suggestions for how you can learn and flourish as a coder.
Online coding education
Back to school
For those that are more daring, your local or online university has a plethora of courses in programming. You will receive a deeper computer science understanding by going this route, but it will be more intensive. You could audit the class, but then you lose the accountability for doing the homework.
Pairing with an existing developer
As it turns out, you have a captive audience of instructors within your organization. Pairing with an existing developer is where you, as the security person, shadow the developer for a period and learn from watching over their shoulders and asking lots of questions.
Not if, but when
Security teams, you must learn how to code. Code is the language of the future and of technologies past, and to best serve your constituents, you must write code, and understand the code written by those that you support.