Think you know all about security pen-testing in the cloud? Here’s how to prove it

New GIAC qual shows you can put the Sec into DevSecOps and quantify the risk in SRE


Promo On the face of it, cloud penetration testing might appear a complex undertaking involving very different architectures, such as containers and Kubernetes, to those found in traditional on-prem infrastructure.

But once you drill down a little, it’s clear that things are actually even more complex. Mainstream enterprises have largely settled on a handful of cloud platforms, but each of these presents its own unique challenges. At the same time the distributed, multi-cloud nature of cloud native applications throws up additional legal and ownership questions.

Much of your traditional penetration experience – and qualifications – will undoubtedly come in useful in this new cloud native world. But having documented proof that you have the requisite skills to conduct cloud specific penetration testing and assess the security of cloud-based infrastructure gives your organisation an additional layer of comfort. It also gives you the ability to stand out from the competition when it comes to your next job or promotion opportunity.

Which is why you’ll want to consider the newly launched GIAC Cloud Penetration Testing certification (GCPN), whether you class yourself as a penetration tester, vulnerability analyst or attack or defense focused security practitioner – or none of these.

As well as covering the fundamentals of cloud penetration testing, environment mapping and service discovery, the GCPN qualification digs into the security nuts and bolts of cloud native applications with containers and CI/CD pipelines.

It also examines the specifics of AWS and Azure cloud services – these two platforms make up half of cloud native infrastructure and can differ dramatically from each other under the covers.

So, as well as addressing containers and Kubernetes architectures in general, the qualification also tests you on AWS and Azure’s own container approaches, their different serverless architectures, and the possible attack strategies for each.

And naturally, it encompasses red team penetration testing of cloud environments, discovery and identification of potential sources of exposure in cloud environments, and password and web application attacks.

There are no specific training requirements for the GCPN, but the qualification maps to the syllabus in SANS Institute’s SEC588 course. Whether your background is in traditional security practice or risk assessment, or you’re a DevOps or SRE specialist, securing GCPN certification will give you, and more importantly the rest of the world, proof that you’re both a cloud native, and a security native.

Getting started couldn’t be easier. Just follow this link, and you’ll be able to reach for the sky and secure the clouds.

Brought to you by SANS Institute.


Biting the hand that feeds IT © 1998–2021