Muss gave a great presentation at Kiwicon about the state of security of most shared web hosting providers and it didn't paint a pretty picture.
So when I read hayabusa's example of defaced websites I could almost visualise what exactly happened.

I don't work in the security industry but I do work in sys admin with a heavy focus towards virtualisation and cloud computing.

This sort of topic is something I face very much every day from my management and my clients.

I don't have anything specific to add to the discussion but I do want to bring up that going to the cloud you are essentially outsourcing your IT. Or at least part of the infrastructure.
Is that acceptable to your organisation?

In relation to your question, I don't see cloud computing to be much different to any other computing system. If your cloud apps are web applications, for instance a business I look after uses Xero a web based accounting software package, then you are just pen testing a web app. If your definition of cloud computing revolves around virtualisation then the only added component I would say would be that you need to also test the hypervisor layer.

Just some things to think about.

One of the big things IMO that separates a pen tester, who just knows how to run a tool and use automated scans vs a great pen tester is the ability to write your own exploits.

One of the best frameworks for developing exploits currently is metasploit and if you want to write modules for metasploit you must be able to write code in ruby.

Advanced hacking courses like OCSE and CEPT etc devote a large amount of their curriculum to coding. Not simply writing the exploit code but things like fuzzing and learning the nuances of x86 assembly.

I think you need to at least be able to code in python/ruby in order to be a good pen tester. I just can't see how you can be a good pentester without being able to write your own exploits.

Do you want to do management stuff in information security or do you want to do penetration testing.

I think that really sums it up. Also once you complete your CEH, I think it really only starts you on a path, it doesn't really mean you can do a complete pen test.

So what do you want to do, INFOSEC management or penetration testing?

Everything about backtrack 3 was designed to run on low spec hardware. It uses older versions of kde (old even for those days) to reduce memory footprint for instance.

I've found bt4 to be more memory and processor intensive. One of their goals was to transition the distro from a live cd to more installed friendly and they are clearly taking advantage of increased hardware specs.

I think you are going to struggle running the vmware version on your machine, I would suggest installing it instead.

One of the best things about backtrack is that they provide a pre-formatted vmdk.

Sometimes with extra goodies in it as well.

Downloading now, should be done when I get home.

I'm frankly not suprised by CISSP and CISM. Having either one usually makes one's CV stand out to the HR department.

I decided to do the CEH/ECSA/LPT route as it was vastly more affordable than GIAC certs.

I think I could probably do the GPEN without attending the course as long as I had access to the study books. Once I am done with CEPT I think I might give that a go.

(Shameless plug, if anyone would like to sell me their recent GIAC study materials, please send me a PM.)

However the GIAC GWAPT course looks interesting. Not many options out there which focuses on web apps.

I received an email from Jack at infosec earlier in the month. They have a new training portal up.
Logging onto it it seems to be a totally updated and refreshed version of their CPT/CEH Ethical Hacking course.

Not very useful for me since I have already done the certs but I'll be perusing through the update material and will let you guys know what I think of it compared to the previous version.

At the beginning it already looks much more polished.

The course is good. The CEPT cert is more like a test at the end of the course to verify that you have learnt the course material.
It would be awesome if it had more clout but at the moment I don't see an isue that it isn't as widely known as CEH or ECSA etc.

IMO just get those too. Hell even infosec says you should achieve them.

I'm doing it. Nothing wrong with the course.

Well Kiwicon is almost here.

Looking forward to the line up some of the presentations look very cool.

I'll post anything interesting here, when I get home to my computer of course!

I truly believe that pentesting as a career is one of the few IT specialties (if you can call it a specialty) where knowing about everything is as synergistic as specialising in one thing.

Because so much of security in IT requires a healthy dose of creativity, insight and experience you never know when that little tidbit of knowledge will come in handy.

I trained to become a network engineer. Did that for a little while and then moved into system administration.
I have plans in the near future to focus on a programming language or two.

So I've come from a different perspective but in the end I will hopefully end up with a strong skillset in networking, system administration and programming.

Get thomas wilhelm's book Professional Penetration Testing. I just received my copy yesterday and while the first couple of chapters haven't taught me anything yet I think the book would of been awesome when I first started out.