It is heavily used within security and it’s a good language to learn if you’re interested in pursuing a career within the security field. Here are some of the uses of python within security:

Automation

Python is one of the best programming languages for automating day to day tasks. In modern IT a lot of the work that was done manually by administrators is now controlled by computer scripts. Computer scripts are much faster, more consistent and cheaper than paying for employees to do it after work hours. Python along with powershell and bash is one of the most common languages for writing quick automation scripts.

Creating Security Tools

When performing ethical hacking, a big part of the task is creating software (exploits) that you can use to hack into websites, networks, systems etc. While this can be done in almost any programming language python is one of the most popular for writing this software. Not only is it good for creating new software but much of the current exploits are written in Python. Having a good understanding of Python will make it much easier to understand and edit other people’s work that has been published online. This way you leverage other people’s work and make it suit your specific situation. Common security tools that people write in Python include mac address changers, keyloggers, backdoors and port scanners. 

Malware Analysis

Malware analysis is the study or process of looking at malware to determine the functionality, origin and potential impact of the malware. When a company finds that they have been infected with malware, one of the first things they need to do to respond properly is to find out what the malware is and what it will do. Sometimes you get lucky and you can use static malware tools like Virustotal, where you can upload the malware and it will have information on it in the tool’s database. But with newer malware, it will require people that can read and understand computer code to look at the source code and figure out what the malware does. Having a good understanding of Python, along with other programming languages like C, C++, Javascript, etc is essential in situations like this. Additionally, many governments pay for well written malware. Being able to program in Python and design malware is another lucrative business that can be done legitimately if you work for the right government agency.

Most important Python libraries for security

Boto3

Boto3 is the Amazon Web Services (AWS) Software Development Kit (SDK). This SDK allows you to create scripts that interact with AWS services such as Amazon Simple Storage Service(S3), Amazon Elastic Compute Cloud(EC2), and Amazon Virtual Private Cloud(VPC). Using Boto3 you can start and stop servers on demand, cancel instances based on whether or not they conform to your organization’s security standards, perform scheduled updates and send automated notifications when security events occur. 

Regex

Regex stands for regular expressions, and it enables you to search for patterns within a larger body of text. This can be useful in many different situations and saves you time when you are looking for pieces of information in large bodies of text. One common example of this would be to extract a list IP addresses from a set of log files. Going through a log file manually could take hours, but with a pre-written script a computer can do this in less than 2 minutes. 

Pyperclip

Pyperclip is used to access the clipboard in your Python scripts, giving your automated programs the ability to copy and paste to and from files. This is great when working with word, pdf or excel files.

Faker

Faker produces fake data that can be used to test your scripts and make sure they can handle different types of data without returning errors. This is important to ensure that the programs you create will perform as intended.  Some of the data that faker creates includes names, addresses, phone numbers, emails, urls, etc.

Python Nmap

Nmap is a popular open source port scanner, used during penetration testing. Port scanning is the process of checking what ports are open on a computer and what services are running on each of those ports. The purpose is to identify what vulnerable services are running that could be used to hack into the machine. The Python Nmap library allows you to use nmap through your scripts rather than having to manually open and use the application, which automates part of the penetration testing process. Some penetration tests require you to scan hundreds or thousands of machines, doing this by hand would be a long process but by using this library it can be done without human interaction.

Socket

Socket is a network interfacing library that allows you to establish client-server connections. Within security, this is useful because it allows you to connect to any machine on a specified port, with a specific protocol, and send data to that machine. It can be used with nmap library for port scanning as well as sending data to or extracting information from a machine. This is important once a machine has been successfully hacked and you want to attempt to move data from that machine (exfiltration). 

Scapy

Scapy is a packet manipulation library used to forge and decode data packets. In security, there are times when you need to monitor the data packets being sent across your computer network. You may do this to determine if someone has hacked into your network, see how vulnerable you are to someone eavesdropping on your conversations or troubleshoot a network problem. Scapy is great for packet analysis and has the same functionality as security tools such as Nmap, Wireshark and tcpdump.

Requests

Requests allows programmers to send HTTP requests in their scripts. HTTP requests are useful for pen testing activities because they allow for the creation of custom payloads and attacks against web applications. If you have used the tool Burpsuite, then you understand how useful this can be in hacking web applications. Requests has similar functionality. Requests is one of the most popular python libraries for web based attacks, used in 89% of Python-based attacks.

Final Thoughts

Python is a great first language for any beginner and more so if you are interested in a career in cybersecurity. It has all the functionality that you would need for daily operations and it’s syntax makes it much easier to learn than languages such as C++. If you’re interested in learning more about python, I would suggest starting with automatetheboringstuff.com, this website/book is a great introduction to learning python for automating daily tasks. Additionally, google created a course called IT Automation with Python, if you want something validated by a large company/authority.

If you want practical Python challenges, you can use codewars or topcoder to get accustomed to writing code on a regular basis. In my experience practice is much more important than studying when it comes to programming, I would suggest no matter what route you take to learning python you want to focus on writing code and making programs that will be relevant in a security environment. For example automating finding IP addresses in log files, finding failed login events in log files or submitting IP addresses, files and URLS to Virustotal and recording the results in a text file.