CDC Blog

CDC Blog

Do InfoSec Folks Need to be Able to Write Code?

by User Not Found | Nov 13, 2017

I ran a poll on Twitter recently, trying to ask this question in an open way, to see what people thought. I was surprised that a lot of folks not only voted, but also shared some strong opinions. This was the final vote count:

 

To be of value to  community, must contributors be able to write code?

419 votes•Final results

I tried to make it OK to vote "yes", since the InfoSec community is typically open and inclusive of all kinds of people, and I didn't intend for a "yes" vote to be construed as negative. Not sure I accomplished that goal, but in any case the comments offered were maybe even more telling of the community's views than the numeric result of the poll.

The question turned out to be much more controversial than I expected. Several people were adamant that coding, especially writing scripts to automate tasks, is an essential part of the InfoSec job. Then there were others who had more of the attitude of “it takes a village”, and suggested that many different skills are of value to InfoSec professionals.

Coding skills are clearly both valuable and valued

This poll changed my views on the necessary skills I would recommend for those aspiring to work in InfoSec. The ability to write code to automate processes would be advantageous for anyone trying to get into the field. At the same time, so would a background in network engineering, system administration or help desk. There are many paths that lead to InfoSec careers. Not everyone that works in InfoSec comes from a coding background, but the comments suggest that those who do find it helpful. And while not everyone in InfoSec is proficient in coding/scripting, this ability sure seems to help those who are.

 

It's not yes/no. There will be valuable jobs in infosec without coding. But there's non-decreasing number of roles that need code skills.

 

Interesting Q. Im scanning through all the names of those who I think made the largest infosec contributions, and how many know how to code.

 

The way things are going, the next generation will graduate from school knowing how to code.

Coding skills allow folks in InfoSec to be more effective

Probably my favorite comment of the bunch, from Jeremiah Grossman:

 

Maybe in boils down to you don’t need to be able to code in order to contribute, but the biggest contributions are by those who can. Fair?

But quite a few folks either didn't like to write code or felt it was not a core competency. Here's one example, but there were many more. I particularly like how Andrew phrased his tweet!

 

I probably couldn't write any useful code if my life depended on it.

Coding allows InfoSec folks to automate repetitive tasks

This is a critical point because humans are notoriously bad at consistently performing repetitive tasks without making mistakes. Plus, automation allows practitioners to do more important things, like analyze activity on their network and train users to show more restraint before clicking on everything they see,

InfoSec practitioners who can code can also automate patching and other security maintenance, set up controls to block certain recognized events at the firewall level, recognize events that should require taking a box offline and running additional scanning for vulnerabilities or malware. By being able to automate such tasks, the InfoSec practitioner is more likely to be able to sleep at night as well.

 

Most definitely. But I find this an interesting topic, maybe helpful to people entering infosec, appsec, devops, secdevops

 

Automation is key, any scripting language is a plus. For InfoSec in depth technical knowledge in one or more areas is necessary.

 

Again, great point. You'll want to reach a point where you start to automate and codify - that requires basic dev skills

 

Absolutely. Every boring repetitive task should be automated to insure against neglect and inconsistent performance..

Honestly, coding skills help immensely. You don't have to be a wizard. Basic literacy is sufficient.

— Bill Paxil (@Soulmech) September 28, 2017

Some specifics suggested

From reading all the comments and a few DMs, it looks like shell scripting, Python, Ruby and Powershell are recommended options. A practitioner wouldn't have to be proficient in all of these - proficiency in even one is likely to enable them to do accomplish required automation of tasks quite handily. Those in application security (AppSec) would of course have different coding proficiency needs.

 

I think it depends on the area of focus. I do feel that Python, shell scripting and Poweshell is important in a lot of areas.

 

Learning PowerShell has definitely upped my game but I think that one can be successful as long as they have drive and passion

Conclusion

I'd advise anyone who is considering getting into InfoSec or already working in InfoSec to pick up at least one automation language / scripting capability. Does this suggest that those without coding skills are without worth to the community? Hell no! There are plenty of awesome jobs in InfoSec where coding isn't necessary. But if you're at university and have to choose between taking programming or basket weaving, you should probably wait until retirement to start making those baskets!

Kate Brew

About the Author: Kate Brew 
Kate has over 15 years experience in product management and marketing, primarily in information security. 

Top