Many new people to Pen Testing often find themselves asking this question: Do I have to be able to write code in order to be a good Pen Tester?
I wanted to try and answer this firstly by saying it depends, although it’s good to sit on the fence as I think if you are doing more network type Pen Testing then knowing how to code is not essential but can help. For example when you need to do something and you can write a really quick nasty bash file or python script to do it for you it saves you time, which as we all know is never on our side when doing a Pen Test. However I don’t think you need to know the ins and outs of programming in network security and I think Tom will agree with this. When it comes to web applications I think it’s a very different issue being able to understand code and write code is essential because you need to understand how the developer may have written code, for example if you are trying to bypass a log having a good understanding of who it may have be coded with, which can make it easy to find holes in the code and exploit it.
So when it comes to programming what should you learn? Well in a recent survey done in the UK by Robin Wood python was at the top of the list. This is what I am currently learning but everyone has their own choice I know Pen Testers who love Perl (yuck) and some who only code in ruby the language of Metasploit. I think the best thing to do is just to try and learn one language really well and go from there as it will be easy to pick up other languages up once you know the basic of ifs,loops,variables so on. Many people pick Python as their starting points and there are lots great resources out there for all programming languages.