Can you be a good pentester without knowing how to code?

Cyber Expertise
Written By Sara Novocin

On LinkedIn, we asked:

Can you become a good penetration tester without knowing how to code?

Sure, you can use tools like Burp Suite, Nmap, and Metasploit, but relying solely on prebuilt tools will only get you so far.

Sometimes, building a custom tool during a pentest is the only way to adequately demonstrate a risk to an organization. As pentesters, that’s our job. You can’t always count on a publicly available proof of concept to do the heavy lifting. A good pentester should be able to create at least a basic proof of concept that effectively communicates risk to stakeholders.

If you're aiming to master offensive security, learning to code is non-negotiable. Don’t be the one who tries to skate by without it!

This survey had a ton of great comments, and we wanted to share some of those comments with you!

“Knowing architectures and APIs is so valuable. Heck, we've made some auto-pwners for fuzzing simple RCEs. I think I'd probably say, being a good scripter/rapid-prototyper is more the flavor than a great developer. A great developer makes code that is easy to maintain by the people who come after you, that's overkill here. But being able to spit out a script that brute forces something or parses logs or sends unprintable characters is pretty mission critical.”

-Andrew N.

“Knowing Linux file structure and commands. Not necessarily “coding” so to speak, but ripping through a file system using terminal commands can feel like it. Definitely helps find resources and other areas of interest that might have escaped the tools that are used.”

-Connor S.

“Honestly, you should even review code for pre built tools before running in a prod environment. Nmap scripts, metasploit modules, and any other open source tool. You are risking some serious damage if you aren't reviewing the code. I hear this argument a lot. No, you don't have to be a software developer to be a good pentester, but eventually you will have to become pretty comfortable with code. Before you even get to a point of building custom code. Not to mention, automation is becoming an absolutely necessity nowadays. Another point I make that supports being comfortable with coding. You don't need to be an expert, but familiar enough to read and understand, and eventually start leveraging it.”

-George R

“Tools do not make you a pentester. That’s like saying you’re a carpenter because you know how to use a saw. You absolutely need to understand the concepts of code. Knowing how to code and understanding the concepts are two different things. You need to understand the concepts so you can review PoC code and the code for tools and understand what they’re doing and how. You also need to understand the concepts so you can understand the weaknesses and how they work. TL;DR don’t be a script kiddie”

-Devrryn J

Sara Novocin https://www.linkedin.com/in/saranovocin
Previous

Cyber Litigation Experts
Next

Post-Penetration Testing Excellence