Cybersecurity "Experts" suck at coding. It's a problem.

there's a problem in cyber security and the problem is that security researchers don't know software engineering C hi everyone thanks for watching Lori wired and in this video I'm going to discuss whether security researchers need to know how to program now what I've noticed in the field of cyber security as a whole is that there's a really strong lack of emphasis in understanding how to program yourself if you're trying to get into a career as a security researcher first I'd like to focus on reverse engineering and see what it looks like if you want to

get into understanding and reverse engineering a new language in cyber security Now what I commonly do if I'm trying to examine a new binary in a different language that maybe I'm not familiar with is I first like to take a step back and see what does the language actually look like if I'm trying to develop in that language which let's look at Objective C for example it has some really interesting nuances inside of how method methods are invoked what method names are actually called how they're called selector instead of method names if you're trying to

develop in this language and you're used to a different language like maybe C++ this is going to be really unfamiliar to you now take another step back and think if you've never seen what the original language anguage actually looks like how are you going to know how to reverse engineer that language because if you're trying to take a look at the decompilation of a binary it's going to be even uglier than the original language if you're trying to look at code that doesn't even look like the original source code that's just making it exponentially more

challenging now if you're already familiar with this language and you know what the code is supposed to look like and you can visualize inside of your head what the original source code might appear to be then this is going to make it so much easier for you that's why it's my favorite kind of mentality kind of way to go to dive into a new language by learning how to develop in that language now if you're confident and you can write that code yourself and you know what this code should look like then I guarantee that

you're much more able to reverse engineer that code if you know where exactly it's supposed to be going let's talk about another example let's say that you're trying to use security tools to reverse engineer or kind of take apart an application this is really common in cyber security whether you're a pen tester a reverse engineer a security analyst all of those encompassing Fields use security tools that are created by another developer now let's say you run into an error Maybe your decompiler fails at this particular class that you're trying to take a look at the

code within what do you do at that point are you going to reach out to the developer and have to wait on them to fix their application so that you can reverse engineer your code and take a better look at it or would you rather be able to understand exactly how to develop the tool yourself personally I think that is the much better option and if you would like to have a tool that maybe do doesn't even exist yet you have the entire capabilities to create that tool if you're both a developer and a security

researcher you can take this unique knowledge and this unique perspective that you have and put that into your development process and create that tool yourself or maybe even add on or fix a component of another tool that you really like all of this together gives you this unique opportunity to provide your own expertise to both the security community and the development Community to produce an even more effective toolbase for all researchers inside of cyber security next let's focus on another really core part of the security research Community let's focus on exploit developers and vulnerability researchers

now a lot of people join this field and have a ton of different unique back grounds but put yourself in the shoes of somebody who's trying to perform a manual code audit now this makes up a lot of the process of security research where you're just inspecting somebody else's code trying to find potential vulnerabilities potential exploitable locations within the code that you can use to your advantage now if you're trying to work inside of this field you basically need to understand the code better than the original develop Vel oper themsel if you're trying to exploit

this think of the perspective of the developer who is writing this application that you're trying to exploit they are mainly focused on performance and how the application looks how the application behaves and they're not focusing very commonly on the security aspect of this you have to be understanding how this code works from the ground up and thinking about it from an additional perspective of security research and trying to figure out exactly how this application works I think that one of the best ways of being able to break an application would be being able to write

that application yourself know what the developer was thinking and find the very common points that might be referenced by Common users of the application and be able to exploit all of those points that you've noticed and keep that kind of security mindset from the very beginning when you're taking a look at this application this requires almost extra skills if you're trying to look at this application because you have to be thinking about it from both the security researcher perspective and the developer perspective of where might the developer not have noticed that something could go wrong

is there an array that they didn't notice potentially has the capability of being overflowed and going out of bounds now there's a lot of commercial fuzzers out there that might do a lot of the job and find a lot of potential vulnerabilities and bugs inside of the code however let's say you're trying to look at a very specific portion of code and a commercial fuzzer is just not able to hit this particular portion that you're trying to find any potential vulnerabilities inside of at this point you might want to create your own custom buzzer to

look at this specific part of the application now if you have the core core Foundation skills of software engineering and programming you are completely able to do this and you can build a custom fuzzer to potentially find vulnerabilities that somebody who didn't have the core programming skills wouldn't be able to find let's move on to our final aspect of expl development in terms of how this requires knowledge in software engineering and that is going to be related to creating actual poc's or proofs of concept in order to exploit a vulnerability that you've uncovered now this

brings you back to just raw core development because you need to develop in whatever your target language is something that will try to exploit that vulnerability that you've uncovered let's discuss how security researchers really commonly interact with big data now this is a really big part of the job of being a security analyst and it's really important to be able to find the relevant sources of data now if you're trying to follow a threat through its initial infection process all the way through to where it's delivering the actual payload you need to be able to

understand all of these different databases all of these different database languages and be able to write and automate your analysis so you can find the really important parts of your data so that you can share this actual relevant portion with other security researchers this is also a really interesting perspective that you can use to combine your knowledge in security research and how a malare sample is going to affect the underlying system and your knowledge in programming and interacting with databases and what the sample actually did and potentially finding additional details about how the Mau author

was able to infect the original system now let's focus on a really complicated topic inside of cyber security let's take a look at cryptography now picture a ransomware author trying to encrypt files on your machine and needing to be able to decrypt them at a later time after the victim has paid the ransom if you're trying to reverse engineer this binary and you're trying to find any potential back doors in side of the cryptography and just get an idea of how this ransomware sample actually works then the best way to look at this and understand

it would be to be able to write that cryptographic function yourself and to know what kind of cryptographic algorithms are commonly used for this kind of encryption or decryption this kind of knowledge shows you potential vulnerabilities that you could use to decrypt a file that has been encrypted by ransomware author let's say for example they're using symmetric encryption to encrypt files and they store their key inside of their application that means that if you know what symmetric encryption is and what algorithms are part of symmetric encryption you know that you're looking for a symmetric key

inside of this application if you find that key then you can go ahead and decrypt any files that have been encrypted by that ransomware sample now since cryptog gra Y is generally accepted to be a pretty challenging topic ransomware authors and other authors of malware are not perfect they may have mistakes inside of their code and if you know the Core Concepts of this kind of programming topic then you'll be able to find those mistakes and even be able to exploit the other malware authors themselves let's talk about another aspect of security research let's let's

talk about trying to find detections and potential for perhaps Yara rules for finding samples inside a virus total or any of the databases that I was talking about earlier one really good potential for trying to find a detection to be able to track a malware sample throughout virus total would be to know what is common code and what is uncommon code if you're trying to find a good rule that applies to all samples that are part of this specific m family then you want to know what would I commonly see inside of a binary versus

what is really unique to this binary if you are able to understand the programming language that that sample was written in and potentially write all of that code yourself then you'll be able to identify what is unique to this malware sample that is probably going to be found in all other malware samples related to this specific family if you know that then there you have it there's your rule that you can write and you can potentially make an excellent rule that's going to track and capture all different malare samples that are belonging to this particular

family then you're able to basically thwart the malware authors even before they're able to release more samples because you know what they're probably going to include inside of their binary that you're already able to track yourself now there's a really big gap between developers and security researchers and this Gap causes kind of a lot of Challenge and even hostility at some points so it's really important to be able to identify and understand both worlds and see where both different individuals and different researchers are coming from now if you're a security researcher and you're trying to

talk to a developer and discuss a potential vulnerability that they may have inside of their application if you're able to come to them from the perspective of both security researcher and a developer who understands that there are deadlines and there are other parts of the code that are really important then you're much more able to have this kind of connection with the person that you're trying to discuss this with and potentially you're able to make them understand how big of a problem it can be to have a vulnerability inside of their application having this kind

of understanding helps you bridge the gap between security research and development and then produce an overall much safer application with a very good working environment if you're trying to work together across different teams based off of all these reasons I think it's really important to emphasize how to program and how to code and take a look at all of the different general concepts of software engineering as a security researcher in any field of cyber security being able to understand both security research and software engineering topics really sets you apart from a lot of other security

researchers and brings a really unique perspective to the field of cyber security it really opens up a lot of doors as well if you want to create your own tools you want to have a better understanding of code or if you want to interact with big data and automate a lot of your analysis processes this is why I think it's super important if you're trying to work in the field of cyber security to take the time and allocate the dedication to focus on a lot of different programming Concepts so that you understand coding and programming

as a whole so that you're able to create any tools that you might need and you have the skills to further your security research by understanding all of the different necessary Concepts so thanks so much for watching Lori wired everyone and I'll catch you in the next video signature takedowns all makes me think of as detections I've been reversing too long go feel like I should be going oh