I want to talk. About. Reality is a bit messy and the long answer is it. Depends. So lets explore a few thoughts about this.. As you hopefully know recently, I made videos about SerenityOS specifically looking at kernel security issues. And if you follow me on twitter, you might have seen me retweeting several videos. Andreas Kling made about other vulnerabilities in SerenityOS, where he even develops exploits for them.. They are amazing, check them out., So Andreas Kling clearly has the knowledge and skills to find kernel vulnerabilities AND write exploits for them.. It seems even very easy for him.. So if YOU want to get to that same level, you might ask yourself: how can I get there How to learn all those skills? Are there courses I can buy? I mean you might want to watch more liveoverflow videos and checkout the binary exploitation, playlist and CTF writeups. Sure that might help., But lets specifically look at Andreas’ experience and try to figure out how he got those skills. Maybe you can copy it.. If you map Andreass experience on a timeline, then for basically all his life, he was doing programming.. He worked as a developer for Nokia and Apple.. He worked on WebKit the browser engine. Here, a random webkit blogpost from 2013 and see the author, Its andreas, Then in 2018 he started programming, his own operating system, Serenity, OS and now just here. At the end, he did vulnerability and exploitation stuff. Without specifically learning it.

. His many years of programming lover level code, which of course also means tons of time spent, debugging, weird functionality, bugs investigating crashes, understanding, how memory and assembly works and so forth. Through programming. He acquired ALL THE SKILLS needed to just switch over to do some hacking.. Just like that. – And I think, if you want to do this kind of system exploitation, If you are aiming for understanding or even creating jailbreaks browser exploits and all that other cool exploitation stuff, I dont think you get away without programming.. You either already have programming experience in your past or you have to acquire it along the way., And that makes sense right. If you want to exploit a C program, it makes sense that you need to know the C language. Mh …, okay …. But then there is this curious case of web security.. If you listen to various bug hunter interviews, there are quite a few successful hackers who say they dont have programming experience. And while I cannot fully understand that because I do come from a programming background, I can see why that can work.. There are a lot of tools to perform web hacking and you dont really need coding.. You can use Burp to manipulate HTTP requests.. You can use SQLmap to exploit a SQL Injection without knowing the SQL language.. You can bruteforce parameters and API paths with stuff. Like ffuf.. You can copy amp, paste, XSS, payloads and hope to see an alert popup.

, And then there are even full vulnerability scanners like Burp or Acunetix, or so, where you just press a button and then you take the result and sell it as an overpriced pentest report.. You can do a ton of web hacking without actually knowing programming. And being successful in it., At least in the financial success sense. To me, that is not very satisfying and boring. Its not how I measure success. But doesnt matter.. So I was wondering. If system exploitation. Clearly requires programming, knowledge. And web. Hacking does not necessarily need it.. What is the difference? Usually I say if you want to exploit a C program, you should know C. If you exploit a php website, you should know php. In some abstract way. You can say you need to know the language of your target., But web apps have one big difference to a local C program.. The web has a standardized protocol. A standard language, EACH web app speaks. It doesnt matter. If the web app is developed in php, python, java or even C in the end, they all have to speak HTTP. But thats, not all.. Every USER of webapps uses a standardized tool to access those apps, namely the browser.. So different languages can cause the same kind of issue and you can write tools to look for those issues. Regardless. If its server side attacks like SQL injections or logic, flaws or client side attacks like CSRF or XSS.. Those issues have all one thing in common.

And that is they exist in the standardized ecosystem of the web.. So a web hacker doesnt necessarily have to understand the programming languages behind it. Its enough to speak the first layer of languages, the web protocols and understanding the web ecosystem. For system exploitation or binary exploitation. This is what is different. Every program. Written is different and has a different way of interacting with it.. Exploiting sudo is different than exploiting the kernel., But does that also mean if you want to do web hacking, programming is useless, No., Absolutely not.. There will always be issues that depend on the language or frameworks used., And so understanding how a website is built will always expand the possible issues you might think or know about.. I also think it helps with the creativity of hacking, because programming is, in my opinion, a creative thing. And, of course, if you know programming, you can also write your own tools and scanners to help you do a better job., But everything I talked about until now Is a very specific area of IT, security. Its really the industry of bug, bounty vulnerability, research, code audits, application, security and so forth., But IT security is much larger than that.. There are TONS of jobs, maybe even the majority of jobs that do not require this deep technical knowledge. Doing like Network firewall and VPN installations, working in a SOC security operations, center triaging reports, doing security, awareness against phishing, doing checklist, ISO, certifications or even classical pentest.

Where you scan networks with tools. All that stuff doesnt require programming knowledge., But you know this channel. This channel is not about this weird enterprise world of security. I wan na make videos about hacking in the classical sense.. I want to explore systems and understand everything on a deeper level. Thats. What makes me excited. And I think that area of IT security does require programming, experience. And thats. Why, for me IT security is never an entry level position.. For me, IT security is a specialization in IT and builds on top of a general broader IT foundation. Thats. Also why I am sceptical about IT: security, bachelor, degrees., Anyway., One last call to action., I think for anybody who doesnt know programming yet if they can read tons of different examples, why people got into programming and what others can recommend that is super helpful.. So please share your programming, motivation and experience in the comments.