I ran a poll on Twitter recently, trying to ask this question in an open way, to see what people thought. I was surprised that a lot of folks not only voted, but also shared some strong opinions. This was the final vote count:
To be of value to #infosec community, must contributors be able to write code?
— Kate Brew (@securitybrew) September 28, 2017
I tried to make it OK to vote "yes", since the InfoSec community is typically open and inclusive of all kinds of people, and I didn't intend for a "yes" vote to be construed as negative. Not sure I accomplished that goal, but in any case the comments offered were maybe even more telling of the community's views than the numeric result of the poll.
The question turned out to be much more controversial than I expected. Several people were adamant that coding, especially writing scripts to automate tasks, is an essential part of the InfoSec job. Then there were others who had more of the attitude of “it takes a village”, and suggested that many different skills are of value to InfoSec professionals.
Coding skills are clearly both valuable and valued
This poll changed my views on the necessary skills I would recommmend for those aspiring to work in InfoSec. The ablity to write code to automate processes would be advantageous for anyone trying to get into the field. At the same time, so would a background in network engineering, system administration or help desk. There are many paths that lead to InfoSec careers. Not everyone that works in InfoSec comes from a coding background, but the comments suggest that those who do find it helpful. And while not everyone in InfoSec is proficient in coding/scripting, this ability sure seems to help those who are.
It's not yes/no. There will be valuable jobs in infosec without coding. But there's non-decreasing number of roles that need code skills.
— Paco Hope (@pacohope) September 28, 2017
Interesting Q. Im scanning through all the names of those who I think made the largest infosec contributions, and how many know how to code.
— Jeremiah Grossman (@jeremiahg) September 28, 2017
— Jeremiah Grossman (@jeremiahg) September 28, 2017
The way things are going, the next generation will graduate from school knowing how to code.
— Jen Savage (@savagejen) September 28, 2017
Coding skills allow folks in InfoSec to be more effective
Probably my favorite comment of the bunch, from Jeremiah Grossman:
Maybe in boils down to you don’t need to be able to code in order to contribute, but the biggest contributions are by those who can. Fair?
— Jeremiah Grossman (@jeremiahg) September 28, 2017
But quite a few folks either didn't like to write code or felt it was not a core competency. Here's one example, but there were many more. I particularly like how Andrew phrased his tweet!
I probably couldn't write any useful code if my life depended on it.
— Andrew Shumate (@andrewshumate) September 28, 2017
Coding allows InfoSec folks to automate repetitive tasks
This is a critical point because humans are notoriously bad at consistently performing repetitive tasks without making mistakes. Plus, automation allows practitioners to do more important things, like analyze activity on their network and train users to show more restraint before clicking on everything they see,
InfoSec practitioners who can code can also automate patching and other security maintenance, set up controls to block certain recognized events at the firewall level, recognize events that should require taking a box offline and running additional scanning for vulnerabilities or malware. By being able to automate such tasks, the InfoSec practitioner is more likely to be able to sleep at night as well.
Automation is key, any scripting language is a plus. For InfoSec in depth technical knowledge in one or more areas is necessary.
— Adrien de Beaupre (@adriendb) September 29, 2017
Again, great point. You'll want to reach a point where you start to automate and codify - that requires basic dev skills
— Rafał Łoś (@Wh1t3Rabbit) October 7, 2017
Absolutely. Every boring repetitive task should be automated to insure against neglect and inconsistent performance..
— C J Czelling (@CJCzelling) September 28, 2017
Honestly, coding skills help immensely. You don't have to be a wizard. Basic literacy is sufficient.
— Bill Paxil (@Soulmech) September 28, 2017
Some specifics suggested
From reading all the comments and a few DMs, it looks like shell scripting, Python, Ruby and Powershell are recommended options. A practitioner wouldn't have to be proficient in all of these - proficiency in even one is likely to enable them to do accomplish required automation of tasks quite handily. Those in application security (AppSec) would of course have different coding proficiency needs.
I think it depends on the area of focus. I do feel that Python, shell scripting and Poweshell is important in a lot of areas.
— Ken Westin (@kwestin) September 30, 2017
Learning PowerShell has definitely upped my game but I think that one can be successful as long as they have drive and passion
— Bobby Everetts (@CERTainlyBobby) September 30, 2017
Conclusion
I'd advise anyone who is considering getting into InfoSec or already working in InfoSec to pick up at least one automation language / scripting capability. Does this suggest that those without coding skills are without worth to the community? Hell no! There are plenty of awesome jobs in InfoSec where coding isn't necessary. But if you're at university and have to choose between taking programming or basket weaving, you should probably wait until retirement to start making those baskets!
