Eric Johnson

Eric is a Co-founder and Principal Security Engineer at Puma Security and a Senior Instructor with the SANS Institute. His experience includes cloud security assessments, cloud infrastructure automation, static source code analysis, web and mobile application penetration testing, secure development lifecycle consulting, and secure code review assessments. Eric is the lead author and an instructor for SEC540: Cloud Security and DevSecOps Automation and a co-author and instructor for both SEC549: Cloud Security Architecture, and SEC510: Cloud Security Controls and Mitigations. Additionally, Eric is a SANS Security Awareness Developer Training Advisory Board Member and SANS Analyst for Application Security and DevSecOps Surveys.

More About Eric


In his current role, Eric focuses on creating modern security tools that fit into cloud-hosted and on-premise development workflows. Prior to Puma Security, Eric spent 5 years as a Principal Security Consultant at an information security consulting firm helping companies deliver secure products to their customers, and another 10 years as an Information Security Engineer at a large US financial institution performing source code audits. His journey into programming and automation started in high school learning BASIC and VB6 macros to automate mainframe collections and bankruptcy workflows. After automating a manual data entry process and increasing throughput by 500%, he was addicted. The sense of pride and accomplishment from taking a manual process and making it pain free drove him into this career path. Over the years, programming morphed into web development, security tools automation, and then into cloud infrastructure and systems automation.

After years of performing security assessments and writing audit reports, Eric saw the same fundamental mistakes repeatedly being made. At the time, Eric asked himself, “How can we detect these reoccurring vulnerabilities earlier and faster?” From there, he refocused his attention on integrating security into the development (application) and operations (infrastructure) workflows. Taking a decade worth of security experience with running and customizing security tools, he helped create more advanced tools to work in automated pipelines, produce machine readable results, and deliver actionable scan results. Puma Security applied the workflow to their cloud infrastructure, virtual machine baselines, application source code, and other areas of IT. Eric’s courses take this real-world experience and distill the lessons into an actionable workflow or methodology.

Eric’s cloud experiences range from performing cloud security assessments for customers and penetration testing cloud-hosted applications (containers, serverless functions), to building a 100% cloud-hosted company (Puma Security) from the ground up across both the AWS and Azure platforms. His primary focus is leveraging Continuous Integration (CI) and Continuous Delivery (CD) tools to build, monitor, and secure cloud infrastructure and applications. This relies heavily on writing infrastructure as code and automating cloud-based security scanners. Eric's team at Puma Security develops and maintains Puma Scan and an Azure DevOps cloud-hosted static code analysis extension for reporting vulnerabilities in automated build pipelines.

The SANS Application Security Summit in 2012 was Eric’s first exposure to the SANS Institute. In his own words, “The summit blew me away. Excellent speakers, real-world material, top-notch training. After spending time with the instructors and SANS staff, I knew I wanted to work with the SANS community. Fast forward to today, after authoring and teaching several SANS classes, it’s the best career decision I made. The learning never stops, and the fun never ends.”

Eric believes that anyone working in the Cloud & DevOps Security space faces the same challenge: the subject matter is massive and constantly changing. The number of public cloud services and tools available can be very overwhelming. The most important concept that he learned early on is not taking on too much at once. Improve and learn every day. Taking a smaller, incremental approach to learning helps one stay focused. Eric implements this approach in his courses, as they build up over the week, re-enforcing concepts with several hands-on exercises daily. After a full 5-day course, students look back, take pride in what they've built, and feel prepared to take on the challenges awaiting them back in the office, as well as in their future career.

Great courses are never done and great instructors never stop learning. The Cloud & DevOps space makes this easy. Services, ideas, and tools are constantly evolving. Teaching Cloud and DevOps material keeps the instructor on edge, requiring a unique blend of skills and experiences, along with constant maintenance. The backbone of DevOps is the development workflow. Spending a few years in enterprise level software and web development before entering information security put Eric in a perfect position to understand how DevOps can build security workflows. Experience with cloud architecture, security assessments, building automated security tools, and custom security automation at both the enterprise level and at small/medium-sized companies allows him as an instructor to ensure every student leaves with the knowledge they need to improve security in their organization.

Being part of the student's journey is the most rewarding part of teaching for Eric. He regularly receives messages from students around the globe – sometimes years later - thanking him for sparking an interest in a subject, motivating them to work on a project, telling him they received a promotion at work, or passed a certification exam. In receiving these messages, Eric immediately can visualize what classroom the student was in and where the student sat. This always brings a smile to Eric’s face.

Eric delivers security training around the world and has presented security research at conferences including RSA, BlackHat, OWASP, BSides, DevOps Days, fwd:cloudsec, JavaOne, UberConf, and ISSA. He is a faculty member of the SANS Technology Institute, an NSA Center of Academic Excellence in Cyber Defense and multiple winner of the National Cyber League competition. Eric earned a bachelor's degree in Computer Engineering and a master’s in Information Assurance at Iowa State University, and currently holds the CISSP, AWS Developer, GWAPT, and GSSP certifications.

When not securing The Cloud, Eric enjoys spending time with his wife and two children traveling the world and exploring new cities, especially during the cold Iowa winters. Most of his free (non-technology) time is spent on the golf course, attending Iowa State football games, or in Louisville, at the horse track or bourbon tasting. Cheers!

Listen to Eric teaching in this webcast: Cloud Security And DevOps Automation: Keys for Modern Security Success.




For additional webcasts, please review the SANS Webcast Archive.



Eric's Contributions