Eric Johnson

Eric is a Co-founder and Principal Security Engineer at Puma Security and a Senior Instructor with the SANS Institute. His experience includes cloud security assessments, cloud infrastructure automation, static source code analysis, web and mobile application penetration testing, secure development lifecycle consulting, and secure code review assessments. Eric is the lead author and an instructor for SEC540: Cloud Security and DevSecOps Automation and a co-author and instructor for SEC510: Public Cloud Security: AWS, Azure, and GCP. Additionally, Eric is a SANS Security Awareness Developer Training Advisory Board Member and SANS Analyst for Application Security and DevSecOps Surveys.

More About Eric

Upcoming Courses


In his current role, Eric focuses on creating modern security tools that fit into cloud-hosted and on-premise development workflows. Prior to Puma Security, Eric spent 5 years as a Principal Security Consultant at an information security consulting firm helping companies deliver secure products to their customers, and another 10 years as an Information Security Engineer at a large US financial institution performing source code audits. His journey into programming and automation started in high school learning BASIC and VB6 macros to automate mainframe collections and bankruptcy workflows. After automating a manual data entry process and increasing throughput by 500%, he was addicted. The sense of pride and accomplishment from taking a manual process and making it pain free drove him into this career path. Over the years, programming morphed into web development, security tools automation, and then into cloud infrastructure and systems automation.

After years of performing security assessments and writing audit reports, Eric saw the same fundamental mistakes repeatedly being made. At the time, Eric asked himself, “How can we detect these reoccurring vulnerabilities earlier and faster?” From there, he refocused his attention on integrating security into the development (application) and operations (infrastructure) workflows. Taking a decade worth of security experience with running and customizing security tools, he helped create more advanced tools to work in automated pipelines, produce machine readable results, and deliver actionable scan results. Puma Security applied the workflow to their cloud infrastructure, virtual machine baselines, application source code, and other areas of IT. Eric’s courses take this real-world experience and distill the lessons into an actionable workflow or methodology.

Eric’s cloud experiences range from performing cloud security assessments for customers and penetration testing cloud-hosted applications (containers, serverless functions), to building a 100% cloud-hosted company (Puma Security) from the ground up across both the AWS and Azure platforms. His primary focus is leveraging Continuous Integration (CI) and Continuous Delivery (CD) tools to build, monitor, and secure cloud infrastructure and applications. This relies heavily on writing infrastructure as code and automating cloud-based security scanners. Eric's team at Puma Security develops and maintains Puma Scan and an Azure DevOps cloud-hosted static code analysis extension for reporting vulnerabilities in automated build pipelines.

The SANS Application Security Summit in 2012 was Eric’s first exposure to the SANS Institute. In his own words, “The summit blew me away. Excellent speakers, real-world material, top-notch training. After spending time with the instructors and SANS staff, I knew I wanted to work with the SANS community. Fast forward to today, after authoring and teaching several SANS classes, it’s the best career decision I made. The learning never stops, and the fun never ends.”

Eric believes that anyone working in the Cloud & DevOps Security space faces the same challenge: the subject matter is massive and constantly changing. The number of public cloud services and tools available can be very overwhelming. The most important concept that he learned early on is not taking on too much at once. Improve and learn every day. Taking a smaller, incremental approach to learning helps one stay focused. Eric implements this approach in his courses, as they build up over the week, re-enforcing concepts with several hands-on exercises daily. After a full 5-day course, students look back, take pride in what they've built, and feel prepared to take on the challenges awaiting them back in the office, as well as in their future career.

Great courses are never done and great instructors never stop learning. The Cloud & DevOps space makes this easy. Services, ideas, and tools are constantly evolving. Teaching Cloud and DevOps material keeps the instructor on edge, requiring a unique blend of skills and experiences, along with constant maintenance. The backbone of DevOps is the development workflow. Spending a few years in enterprise level software and web development before entering information security put Eric in a perfect position to understand how DevOps can build security workflows. Experience with cloud architecture, security assessments, building automated security tools, and custom security automation at both the enterprise level and at small/medium-sized companies allows him as an instructor to ensure every student leaves with the knowledge they need to improve security in their organization.

Being part of the student's journey is the most rewarding part of teaching for Eric. He regularly receives messages from students around the globe – sometimes years later - thanking him for sparking an interest in a subject, motivating them to work on a project, telling him they received a promotion at work, or passed a certification exam. In receiving these messages, Eric immediately can visualize what classroom the student was in and where the student sat. This always brings a smile to Eric’s face.

Eric delivers security training around the world and has presented security research at conferences including RSA, BlackHat, OWASP, BSides, DevOps Days, fwd:cloudsec, JavaOne, UberConf, and ISSA. Eric earned a bachelor's degree in Computer Engineering and a master’s in Information Assurance at Iowa State University, and currently holds the CISSP, AWS Developer, GWAPT, and GSSP certifications.

When not securing The Cloud, Eric enjoys spending time with his wife and two children traveling the world and exploring new cities, especially during the cold Iowa winters. Most of his free (non-technology) time is spent on the golf course, attending Iowa State football games, or in Louisville, at the horse track or bourbon tasting. Cheers!

Listen to Eric teaching in this webcast: Cloud Security And DevOps Automation: Keys for Modern Security Success.


CloudSecNext Summit 2022 Co-Chair, May 2022

CloudSecNext Summit 2021 Co-Chair, June 2021



Where We're Going, We Don't Need Roads, June 2022

Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments, Nov 2021

Panel Discussion: Rethinking the Sec in DevSecOps: Security as Code: A SANS 2021 Survey, June 2021

Rethinking the Sec in DevSecOps: Security as Code: A SANS 2021 Survey, June 2021

Locking Down GitFlow with GitHub, GitLab, and Azure DevOp, (Cloud Security and DevSecOps Part 2 of 3), May 2021

Multiple Clouds Require Multiple Solutions: AWS, Azure, & GCP - SANS @Mic, Jan 2021

Winning in the Dark - Defending Serverless Infrastructure in the Cloud - SANS@Mic Tokyo, Dec 2020

Extending DevSecOps Security Controls into the Cloud: A Panel Discussion of the 2020 SANS Survey, Nov 2020

Extending DevSecOps Security Controls into the Cloud: A SANS Survey, Oct 2020

SEC510: Multicloud Security Assessment and Defense, June 2020

Winning in the Dark - Defending Serverless Infrastructure in the Cloud, June 2020

Defending Serverless Infrastructure in the Cloud, Feb 2020

Attacking and Defending Cloud Metadata Services, Oct 2019

Cloud Security and DevOps Automation: Keys for Modern Security Success, April 2019

Continuous Security: Monitoring & Active Defense in the Cloud, Aug 2018

Secure DevOps: Faster Feedback with Effective Security Unit Tests in CI / CD, Jan 2018

For additional webcasts prior to 2018, please review the SANS Webcast Archive.


Secure Service Configuration in AWS, Azure, & GCP poster

Cloud Security and DevSecOps Best Practices poster


Eric's Contributions