SANS Rocky Mountain Fall is Live Online! Join us Nov 2-7 MT for 17 interactive courses + NetWars. Save $300 thru 10/7.


Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Heartbleed shows how Pen Testers can use the power of 'Python' to quickly assess vulnerabilities

Ahead of Pen Test Berlin 2014, Europe's largest dedicated educational event for penetration testers and ethical hackers, course author Mark Baggett suggests system admins and defenders can also benefit from coding knowledge

  • United Kingdom
  • 3rd June, 2014

In response to Heartbleed, a serious vulnerability in OpenSSL 1.0.1 that allows a remote attacker to extract data from the memory of a target computer, a number of new tools that exploit the vulnerability have been released into the InfoSec community in just a few weeks from the discovery of the flaw.

Tools such as SSLTEST, HB-TEST, HEARTBEAT_SCANNER have quickly gone into wider circulation to develop exploits that demonstrate the seriousness of the vulnerability. "The thing these tools all have in common is that they were written in Python," says Mark Baggett, SANS Certified Instructor, "Why? Because Python is a "rapid deployment", "batteries included" language that includes the core set of libraries and everything that you need to perform a wide variety of tasks, including developing exploits with most exploit tools only requiring a few lines of code."

Baggett is also the course author of SANS SEC573: Python for Penetration Testers, a course designed to help penetration testers customise existing open source code or develop their own tools. As course instructor Tim Medin explains, "You know, I've been a little surprised by the number of systems administrators and network defenders that attend SEC573. It was written with the penetration tester in mind but it is clear that the skills are relevant across a wider group."

This course is designed to meet students at their current skill level, appealing to a wide variety of backgrounds ranging from people without a drop of coding experience all the way up to skilled Python developers looking to increase their expertise and map their capabilities to penetration testing. The course includes language essentials and the development of a SQL Injection tool, a password guesser and a custom backdoors and a network reconnaissance tool. "These are certainly tools that every penetration tester needs while most security professionals find the skills required to develop those tools are easily applied to all kinds of situations. In short, everyone can easily benefit from the Python skills that are certainly developed in this course," says Medin.

The upcoming SANS Pen Test Berlin 2014 is the largest dedicated training event for ethical hackers in Europe and runs at the Radisson Blu Hotel in Berlin from the 15th to the 21st of June. Across 6 days, attendees will participate in advanced penetration testing and ethical hacking courses led by SANS' globally renowned, expert instructors. Each evening, SANS will host a series of @Night talks and social functions across a wide range of subject areas.

Alongside SANS SEC573: Python for Penetration Testers, Pen Test Berlin 2014 will also host:

SANS SEC760: Advanced Exploit Development for Penetration Testers with Stephen Sims
SEC542: Web App Penetration Testing and Ethical Hacking with Pieter Danhieux
SEC560: Network Penetration Testing and Ethical Hacking with James Lyne
SEC575: Mobile Device Security and Ethical Hacking with Raul Siles

The courses provide essential preparation for a number of GIAC Certification exams including GIAC Penetration Tester (GPEN), GIAC Assessing and Auditing Wireless Networks (GAWN) and GIAC Exploit Researcher and Advanced Penetration Tester (GXPN). For more information or to register, please visit:

Media Contact

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions worldwide. Renowned SANS instructors teach more than 60 courses at In-Person and Live Online cyber security training events, and more than 50 courses are available anytime, anywhere with our OnDemand platform. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system – the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (