Should Penetration Testers Know How to Code?

Penetration Testers don't need to be full-stack developers to be effective in their roles, but having coding skills is an absolute necessity. What is the difference? Though the terms are often used interchangeably, coding and programming are two different things. Coding refers to writing codes for applications, but programming is a much broader term. Programmers find solutions to problems and determine how they should be solved. Programmers generally deal with the big picture within an application, not just compartmentalized lines of code. It is easier to learn to code that it is to program. Coders can produce code in various languages in a short period of time, but it may take many years to become a programmer with the depth and breadth of experience needed for the position.

Penetration Testers seldom need to write complete programs or applications, but they often have to write Bash scripts, write or modify tools and exploits written in C, C#, Python, JavaScript, PowerShell, Perl, Ruby, VBScript and others. They must also be able to use a debugger and work with machine language for exploit development. A Penetration tester with no coding skills would be relegated to running scripts written by others. That is the definition of a "Script Kiddie" and no Penetration tester wants to be associated with that label. Hence, Penetration Testers don't need to be programmers, However, they must have coding skills and be able to leverage programming language documentation, Google, Stack Overflow, and YouTube to meet the daily requirements of the job.