Is programming knowledge required for web application penetration testing?

Not required at first, but you will need it to move up the ladder (in proficiency). Here’s why:-

  1. For DAST (Dynamic Application Security Testing), aka looking for security weaknesses when the application is running, understanding how a web application flows helps in identifying weaknesses in the coding. While you do NOT need to learn it at the same level as a programmer does, knowing it will enable you to look in the corners that other usually won’t look.
  2. A web application builds up (and runs on) lot of code (not written by the developer of the application). Those code packages (also called third party libraries, e.g., jQuery, Bootstrap, Laravel, Django, etc.) have been fortified by secure code, eradicating low hanging fruits (aka easily identifiable by script kiddies). These days, understanding nuances of a programming language helps a tester to (here i go again) look in the corners that others usually won’t look.
  3. If you are doing SAST (Static Application Security Test), aka source code security review, understanding the language is a definite requirement.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s