Top 5 programming languages for security admins to learn

SecAdmins working to protect infrastructure, whether defensively or offensively, may find these programming languages helpful in safeguarding apps, systems, and hardware from threats.

security admin

Image: gorodenkoff, Getty Images/iStockphoto

Cybersecurity is the fastest-growing field in IT today. From the dire need to protect infrastructures globally to ensure that communications are secured to maintaining the confidentiality and integrity of data—while still assuring its availability—each facet of every system depends on the utmost security protections to keep threat actors at bay.

SEE: Top 5 programming languages for security admins to learn (free PDF) (TechRepublic)

There's a saying in the computer security world: "Hackers only need to get it right once; we have to get it right every time." While it's discouraging to think of the never-ending, uphill battle cybersecurity professionals have before them, the saying is 100% accurate. Also, it is something security admins have come to know and understand as an integral part of their job function.

As your career in computer security grows, the need to protect critical infrastructure, applications, and software will only grow exponentially. The programming languages below will assist professionals in working smarter but not harder by automating defensive tasks, performing penetration tests that will aid in identifying bugs and malicious code, and writing code that serves to patch security holes.

SEE: Cybersecurity: Let's get tactical (free PDF) (TechRepublic)

C

This low-level programming language has been in use for almost five decades and was designed with cross-platform support in mind. When structured properly, programs can be compiled with minimal changes to the source code across multiple OSes. Because of its deep level of integration with system hardware, applications that are compromised pose a greater security threat due to the ability to manipulate hardware resources.

SEE: Top 5 programming languages for systems administrators to learn (TechRepublic download)

Being able to read source code generated from C-based languages will provide in-depth insight into  identifying malicious code and correcting vulnerabilities in the code, which provides secadmins an unparalleled advantage in being able to thwart attacks before they can occur.

Roles best suited for C programmers include software developers, penetration testers, and application testers.

Python

Python is arguably the most popular of the modern programming languages. Python's cross-platform capability, extensive community support, and ubiquitous nature allow for it to be flexibly integrated into just about any system, and it lends itself to just about any task.

SEE: Top 5 programming languages for network administrators to learn (TechRepublic download)

Thanks to its ability to run on multiple systems, Python is often the language of choice for security admins to leverage their testing scripts, including those used by red teams when simulating attacks or during penetration testing campaigns as the tasks will run regardless of the host's OS.

Roles best suited for Python programmers include penetration testers, systems administrators, and SecOps.

JavaScript

While JavaScript (JS) may not be the language du jour for modern development, it is the one that is most widely in use. Averaging more than 97% in market share trends and used in just about every website, JS is in heavy demand these days. 

SEE: Identity theft protection policy (TechRepublic Premium)

Security professionals would greatly benefit from being able to interpret, write, and—more importantly—correct errors in JS to secure code from popular attacks, like Cross-Site Scripting (XSS), Cross-Site Forgery Request (CSRF), and SQL Injection

Roles best suited for JavaScript programmers include penetration testers, web developers, and DevOps.

PHP

While PHP serves more as a web-based language, it is estimated that about 80% of all websites use it in some way. Adding to its growth in market share is the shift to the web or cloud over traditional applications. Also fueling growth is the adoption of popular CMS platforms, such as WordPress, that are written almost entirely in PHP.

SEE: How to populate MySQL tables with data using phpMyAdmin (TechRepublic)

It should not come as a shock that as market share increases, threats against those platforms increase substantially. And these threats could pose serious harm if they reveal information stored in a database, XSS. They could even open the door for or even session hijacking. Knowing this language could help you prevent some of these sinister attacks.

Roles best suited for PHP programmers include penetration testers, web developers, and DevOps.

SQL

Structure Query Language (SQL) is the method by which data is managed as it is stored in a relational database. The benefits to using databases to store data over alternative read-write methods, such as APIs, typically revolve around the ability to access multiple records at once and without having to specify how records are accessed. Databases can also scale accordingly, providing a method for storing as much data as the hardware will support.

SEE: The best programming languages to learn in 2020 (TechRepublic)

This opens up a particular problem in that databases represent a treasure trove of information for threat actors. This makes it all the more imperative to harden the SQL code to limit the level of exposure as the threat of data exfiltration is too great and may lead to serious consequences, especially if data is regulated.

Roles best suited for SQL programmers include penetration testers, database administrators, and web developers.

Honorable mentions

PowerShell

Microsoft's open-source language PowerShell (PS) is increasingly seeing usage, not only in Windows-based environments, but others that were typically only Linux, or macOS. It's not just used to manage devices and data sets, but with its tight integration into other platforms, such as Directory Services, networking services, virtualization, and SQL, PowerShell can (and has been) weaponized to perform full-scale attacks, from recon to exploitation to persistence. Pentesters would do well to add this language to their arsenals.

SEE: PowerShell 7.0: Eight changes you need to know (TechRepublic)

Ruby

Ruby is another web-based language that builds on a framework geared toward securing eCommerce and web applications to scale. With the financial component in place, it is no wonder that it would attract threat actors looking to benefit financially from compromising sites and services built on Ruby. Increasingly, penetration testers are adding Ruby-based scripts to their toolkits and skill sets in an effort to perform testing campaigns across a number of devices. With its cross-platform support and easy development style, this makes a great addition to their skill sets. 

Also see

By Jesus Vigo

Jesus Vigo is a Network Administrator by day and owner of Mac|Jesus, LLC, specializing in Mac and Windows integration and providing solutions to small- and medium-size businesses. He brings 19 years of experience and multiple certifications from seve...