@sroberts advanced persistent incident responder

Python for CND

One thing I constantly harp on while talking to people beginning in the security community is the importance of learning to code. I think it is awful that we have so many security professionals cannot write a line of code. It’s useful for automating common tasks, gathering & manipulating data, almost anything you can imagine. I think everyone should learn some coding and Python is the best place to start.

What is Python

From Python.org/about:

Python is powerful… and fast; plays well with others; runs everywhere; is friendly & easy to learn; is Open.Python is powerful… and fast; plays well with others; runs everywhere; is friendly & easy to learn; is Open.

Python is an interpreted language, meaning the python application takes the same .py file you write code in and runs that for you, without a compilation step in between (if you want a compiled language I recommend looking at Golang). Python runs about anywhere and if you have a MacOS or Linux computer you probably already have Python installed.

Python is beautifully simple. Here is Hello World:

It rarely gets much simpler than that. Lets demonstrate something a bit more complicated:

Here we’re using a library called Requests to grab the SANS Infocon status from their web service. Then we check to make sure the response had an HTTP status code 200 and return the value to print, otherwise if we can’t get the Infocon successfully we’ll return an error. Contrived? Yes. Simple? Of course. Useful as a jumping off point? Absolutely.

Why Use Python for Security?

Because all the cool kids are doing it? Python is the default programming language for most network security types, having largely taken the mantle from Perl. It’s easy to write, whether its a basic script for rearranging data or elaborate large scale distributed security tools, has lots of great libraries for common security tasks (we’ll look at some of them later), and quick to learn.

Resources for Learning Python

Learning any language is never just about learning to write code, though that’s the first place to start. Learning a language means learning it’s syntax, but also conventions, libraries & tooling, as well as how to test. It also often helps to look at projects others have done to get the lay of the land. Here’s some resources to get started:

Core Language Syntax

Start with CodeAcademy: Python to learn the basic syntax. It’s free, there’s no setup, and you’ll learn enough to be dangerous in an afternoon. Ready to go deeper? You want Learn Python the Hard Way for a deep dive into Python, using your own machine. If you need a few syntax reminders check out the Learn X in Y minutes: Python3 cheatsheet.

Aside: Python 2.7 vs Python 3 If you want to get Python folks at each other just bring up Python3. Released a few years Python3 was meant to be a significant upgrade, fixing lots of old structural issues that couldn’t be fixed earlier because they would break old code. Many people have been resistant, and even though it’s been out for years Python3 still isn’t the default. I focus on writing Python3, but your mileage may vary and your organization may do things very differently.

One of the nicest things about learning an interpreted language like Python (or Ruby, Perl, etc) is being able to learn using a Read Evaluate Print Loop (Usually referred to as a REPL). You can start a REPL for Python by just typing python at a command prompt without any arguments. This lets you write Python line by line, getting the output immediately. It’s a great way to do things quickly or just experiment.

Python Security Books

Python is so common in security that there are a number of great security centric Python books. These are great ways to learn Python in a security specific context.

Packages

One of the best things about Python is the multitude of libraries that already exist before you write your first line of code. These range from basic data manipulation libraries all the way up to complex web frameworks and data mining toolsets.

In Python all packages are managed using pip (yeah yeah easy_install & eggs and a bunch of other ways, but lets keep it basic). Searching for a new tool is as easy as pip search virustotal, which will return all the Python packages related to everyone’s favorite malware service. Decide you want to use one? A quick pip install virustotal-api and you’re off to the races (Once you get a bit further down the road you’ll want to learn about using pip & virtualenv together.)

What libraries you want to use depends a lot on the work you’re doing, but here are a few core ones most security minded Python developers will want to use:

Library Description
Flask The go to for small webapps, Flask is especially useful for REST API based tools.
Requests Requests is the only Non-GMO HTTP library for Python, safe for human consumption.
yolothreat/utilitybelt A Python library for being a CND Batman….

There are literally thousands more, but these are three I reach to often.

Awesome Python Projects

There are plenty of examples of great security tools using Python, many of which I’ve already talked about. Here’s a new set I’d recommend looking into:

These are all under active development and great tools to consider sending pull requests to.

Ready For More?

Programming is often far more than syntax and libraries. Here are some things you’ll want to start investigating next:

Companies Using Python for Security

Basically everyone. Honestly it seems counterproductive to list them. Aside from Metasploit Python is the go to scripting language for most IR firms and the language of choice for the open source security world.

In Conclusion

While not everyone in security will write code as a job almost everyone can benefit from writing some code to assist in their job. Even basic data manipulation is a key skill that becomes more useful the more you do it. Given Python’s wide use, great libraries, and ease to learn it’s an ideal place to get started. While there are other languages that do specific things better almost none can claim to do everything as well as Python.