and what if in your audit you are told not to use the web app/web server as your entry point or to ignore it all together.  now what?  your knowledge of PHP isnt going to do anything for you then.

you have a very valid point that in today's world getting in thru the web app/web server will be your most likely point on entry.  on the other hand, if you dont know other languages and have limited yourself to java/php/sql you have really narrowed your ability to perform non-web app assessments. 

you have also limited yourself on learning how to use the old exploits or how to learn to code your own remote OS type exploits  or fix existing broken exploits (you dont have to limit yourself to C but using java/php could be painful). 

to be a good (or new) auditor, in my opinion, you need to be able to fix and understand code written in the common "exploit writing" languages (perl, python, C) AND know web app languages (php, java, ajax, sql, etc).  i wouldnt pigeon hole myself into concentrating just on web apps (yet).

I still think there is some confusion as to what a pen tester's role is. There's no doubt its because as security professionals we are typically tasked with several roles and not just dedicated to one.

A pen tester's job is to find vulnerabilities in a companies network, that they couldn't find running a normal nessus scan. You are paid for your expertise in finding holes that aren't readily visible to the average IT guy and require some very strong knowledge of what protocols, software, and hardware they have exposed to the internet. While there are several other areas, like social engineering and physical security, this is the big one companies are looking for, most often because they were already hacked or there auditors are requiring it of them. So as I stated earlier, I still believe to be a great pen tester you, the guy who gets into networks nobody can, you are required to have strong knowledge of web-based protocols/software, as well as other services that are exposed. C++ helps you in none of this. It is a secondary role, as you mentioned in writing or customizing exploits. It doesn't take an expert C programmer to understand exploits or how to fix them to run in your environment. It takes basic level C knowledge to do that. As a pen tester, that is not the "elite" skill you are getting paid for IMO.

I think knowledge of C++ is very helpful to have for the all around security pro. Its pretty much expected that you will have at least some basic understanding of C code. Its absolutely vital for reverse engineering malware and for code auditing. Its considered by most to be the foundational language for many that followed. Hence peoples heavy attachment to it.

Great discussion though, I hope more people add their views on this

Well I'm glad I asked that question for the poll, and now that I see the intermediate results I'm even gladder. I've found the discussion this poll has  generated, has also been very interesting. Most of the discussion seems to revolve around the difference between what I originally asked about and what Don eventually ended up asking in the poll. My original question was about a programming language for security professionals while Don asked about pen testers.

I'm also interested that no one language has a flat majority, and also by the close tie (so far) between Assembly, Java/JS and VB/VBS. Any more thoughts......

I'd love to, but unfortunately I'm using a built-in feature of my CMS and it won't let me do that. 

The only way to do it would be to manually type the results. I do stil have the archived, so I guess I could get off my lazy butt and do it. I just haven't felt the urgency until now. Thanks a lot Negrita! 

Anyone program Joomla modules?

Don