What Scripting and Code Analysis Skills Do Pen Testers Need?

What scripting and code analysis skills are needed by pen testers? And, what tools are available to help them find web application software vulnerabilities?

What Scripting and Code Analysis Skills Do Pen Testers NeedGone are the days when pen testers could rely on one tool, such as Metasploit, to attack systems. Pen testers typically use several tools to accomplish their goals. One reason for this is an increased attack surface. Pen testers must consider traditional desktop and server systems, newer embedded/IoT systems, cloud and hybrid environments, plus all the web applications running on them.

In addition, pen testers must also take web application software into consideration due to coding errors that often result in cybersecurity breaches. That leads us to ask two questions: What scripting and code analysis skills are needed by pen testers? And, what tools are available to help them find web application software vulnerabilities?   

Scripting vs. Programming Languages  

First, you must be familiar with scripting languages, like Python, Ruby, Perl and JavaScript. These scripts have been around for many years. They run inside other programs and help make coding easier and faster. They are simplified versions of complex programming languages such as C# and Java. Unfortunately, the code from both scripting and programming languages can introduce significant vulnerabilities that lead to cybersecurity breaches. Pen testers must be familiar with them.

Writing Code vs. Code Analysis

Second, you should understand the difference between writing and analyzing code. Early career penetration testers may not spend much time writing code. Instead they use specialized tools for code analysis, like OWASP ZAP, Burp Suite and Gobuster. Writing code is often performed by advanced pen testers who script on the fly with Python, for example. Writing code typically comes after about 5 years of experience, whereas analyzing code may happen earlier, around 3 years of experience.

Scripting and Code Analysis in CompTIA PenTest+

The CompTIA PenTest+ certification focuses on code analysis. It does not assess code writing. These analysis skills are covered in four PT0-002 exam objectives. The following table includes an example for each objective.

Objective

Code Analysis Example

Why?

2.4 Given a scenario, perform vulnerability scanning.

CompTIA PenTest+ assesses Nmap, a common scanning tool, plus the Nmap Scripting Engine (NSE) that uses option -script=vuln

NSE vulnerability detection scripts can be downloaded and run to quickly check for specific vulnerabilities on a network.

3.3 Given a scenario, research attack vectors and perform application-based attacks.

CompTIA PenTest+ assesses research and exploitation techniques using OWASP Top 10, OWASP ZAP, Burp Suite and Gobuster tools.

Once a vulnerability is found, pen testers must determine the best attack to exploit it. Research is usually required to determine the best exploitation tool.

5.1 Explain the basic concepts of scripting and software development.

CompTIA PenTest+ assesses knowledge of logic constructs, data structures, JavaScript Object Notation (JSON), scripting, software libraries, classes, procedures and functions.

In order to analyze code, pen testers must be familiar with coding languages, or they might not know the best tool to use for the exploitation process.

5.2 Given a scenario, analyze a script or code sample for use in a penetration test.

CompTIA PenTest+ provides various examples such as Bash and PS shells, Python, Ruby, Perl, and JavaScript. Tools found in objective 5.3 are used.

Code analysis helps pen testers discover vulnerabilities, including code attempting to download files, launch remote access, enumerate users and/or enumerate assets.

5.3 Explain use cases of the following tools during the phases of a penetration test.

CompTIA PenTest+ covers web-application tools such as OWASP ZAP, Burp Suite and Gobuster.

Web-application tools help pen testers discover code vulnerabilities and exploit them through code analysis.

 

CompTIA PenTest+ Covers Code Analysis

As you can see, the CompTIA PenTest+ (PT0-002) exam objectives focus on code analysis to identify vulnerabilities. Writing code is not required. These analysis skills are expected to grow in the foreseeable future as software continues to introduce new vulnerabilities. For penetration testers who want to learn coding, it is recommended to start with Python because of its usefulness in cybersecurity.    

To assess your knowledge and prove to employers that you have the pen testing code analysis skills they need, start by downloading the CompTIA PenTest+ exam objectives. The updated CompTIA PenTest+ exam will launch later this month – it’s a great time to get started.

How to Study for CompTIA PenTest+

CompTIA offers everything you need to prepare for your PenTest+ certification exam – at home, online or in an actual classroom. Choose what works best for you, your learning preferences and your schedule.

  • eLearning: CompTIA CertMaster Learn is an interactive and self-paced comprehensive eLearning solution. It includes a customizable learning plan and performance-based questions that take you on a path of consistent learning toward your certification exam.
  • Interactive Labs: Acquire the necessary hands-on skills for your certification exam with CertMaster Labs. You will develop a deeper understanding of the subject matter and reinforce the practical aspects of certification exam objectives.
  • Integrated Learn and Labs Bundles: Gain the knowledge and apply the practical skills you need seamlessly with the integration of two of our most impactful learning tools –CompTIA CertMaster Learn + Labs.
  • Exam Prep: CompTIA CertMaster Practice is an adaptive online tool that assesses your knowledge and exam readiness. It confirms the topics you know and focuses your studies on the areas where you need more work, helping you feel more prepared and confident when you go into your IT certification exam.
  • Study Guides: Official CompTIA study guides – in printed and digital formats – are packed with informative and accessible content that covers all the exam objectives.

Download your customizable training worksheet to create your own plan and stick to it!

We know that getting an IT certification is an investment in both time and money, and that can be especially difficult if you’re in school or job hunting. CompTIA offers a number of ways to make it easier for you to pay for your training and certifications, including voucher discounts and financing options.

When you feel ready to take your exam, we’ve got your back there too! You can opt to earn a CompTIA certification online, from your home – or a quiet, distraction-free, secure location – at a time that’s convenient for you. Online testing is available 24/7, giving you a broader scheduling window than in-person testing. Of course, you can still take your exam in-person at a testing center if you choose to.

Get the skills you need to help protect organizations from cyberattacks. Ready to get started? Download the exam objectives from CompTIA PenTest+ for free to see what’s covered.

Email us at blogeditor@comptia.org for inquiries related to contributed articles, link building and other web content needs.

Read More from the CompTIA Blog

Leave a Comment