homepage
Open menu

Eric Johnson

Eric is a Co-founder and Principal Security Engineer at Puma Security and a Senior Instructor with the SANS Institute. His experience includes cloud security assessments, cloud infrastructure automation, static source code analysis, web and mobile application penetration testing, secure development lifecycle consulting, and secure code review assessments. Eric is the lead author and an instructor for SEC540: Cloud Security and DevOps Automation, a co-author and instructor for both the brand new SEC510: Multicloud Security Assessment and Defense, and the upcoming SEC584: Cloud Native Security: Defending Containers & Kubernetes. Additionally, Eric is a SANS Security Awareness Developer Training Advisory Board Member and SANS Analyst for Application Security and DevSecOps Surveys.

More About Eric
Specialties
Photo

Profile

In his current role, Eric focuses on creating modern security tools that fit into cloud-hosted and on-premise development workflows. Prior to Puma Security, Eric spent 5 years as a Principal Security Consultant at an information security consulting firm helping companies deliver secure products to their customers, and another 10 years as an Information Security Engineer at a large US financial institution performing source code audits. His journey into programming and automation started in high school learning BASIC and VB6 macros to automate mainframe collections and bankruptcy workflows. After automating a manual data entry process and increasing throughput by 500%, he was addicted. The sense of pride and accomplishment from taking a manual process and making it pain free drove him into this career path. Over the years, programming morphed into web development, security tools automation, and then into cloud infrastructure and systems automation.

After years of performing security assessments and writing audit reports, Eric saw the same fundamental mistakes repeatedly being made. At the time, Eric asked himself, “How can we detect these reoccurring vulnerabilities earlier and faster?” From there, he refocused his attention on integrating security into the development (application) and operations (infrastructure) workflows. Taking a decade worth of security experience with running and customizing security tools, he helped create more advanced tools to work in automated pipelines, produce machine readable results, and deliver actionable scan results. Puma Security applied the workflow to their cloud infrastructure, virtual machine baselines, application source code, and other areas of IT. Eric’s courses take this real-world experience and distill the lessons into an actionable workflow or methodology.

Eric’s cloud experiences range from performing cloud security assessments for customers and penetration testing cloud-hosted applications (containers, serverless functions), to building a 100% cloud-hosted company (Puma Security) from the ground up across both the AWS and Azure platforms. His primary focus is leveraging Continuous Integration (CI) and Continuous Delivery (CD) tools to build, monitor, and secure cloud infrastructure and applications. This relies heavily on writing infrastructure as code and automating cloud-based security scanners. Eric's team at Puma Security develops and maintains Puma Scan and an Azure DevOps cloud-hosted static code analysis extension for reporting vulnerabilities in automated build pipelines.

The SANS Application Security Summit in 2012 was Eric’s first exposure to the SANS Institute. In his own words, “The summit blew me away. Excellent speakers, real-world material, top-notch training. After spending time with the instructors and SANS staff, I knew I wanted to work with the SANS community. Fast forward to today, after authoring and teaching several SANS classes, it’s the best career decision I made. The learning never stops, and the fun never ends.”

Eric believes that anyone working in the Cloud & DevOps Security space faces the same challenge: the subject matter is massive and constantly changing. The number of public cloud services and tools available can be very overwhelming. The most important concept that he learned early on is not taking on too much at once. Improve and learn every day. Taking a smaller, incremental approach to learning helps one stay focused. Eric implements this approach in his courses, as they build up over the week, re-enforcing concepts with several hands-on exercises daily. After a full 5-day course, students look back, take pride in what they've built, and feel prepared to take on the challenges awaiting them back in the office, as well as in their future career.

Great courses are never done and great instructors never stop learning. The Cloud & DevOps space makes this easy. Services, ideas, and tools are constantly evolving. Teaching Cloud and DevOps material keeps the instructor on edge, requiring a unique blend of skills and experiences, along with constant maintenance. The backbone of DevOps is the development workflow. Spending a few years in enterprise level software and web development before entering information security put Eric in a perfect position to understand how DevOps can build security workflows. Experience with cloud architecture, security assessments, building automated security tools, and custom security automation at both the enterprise level and at small/medium-sized companies allows him as an instructor to ensure every student leaves with the knowledge they need to improve security in their organization.

Being part of the student's journey is the most rewarding part of teaching for Eric. He regularly receives messages from students around the globe – sometimes years later - thanking him for sparking an interest in a subject, motivating them to work on a project, telling him they received a promotion at work, or passed a certification exam. In receiving these messages, Eric immediately can visualize what classroom the student was in and where the student sat. This always brings a smile to Eric’s face.

Eric delivers security training around the world and has presented security research at conferences including RSA, BlackHat, OWASP, BSides, DevOps Days, fwd:cloudsec, JavaOne, UberConf, and ISSA. Eric earned a bachelor's degree in Computer Engineering and a master’s in Information Assurance at Iowa State University, and currently holds the CISSP, AWS Developer, GWAPT, and GSSP certifications.

When not securing The Cloud, Eric enjoys spending time with his wife and two children traveling the world and exploring new cities, especially during the cold Iowa winters. Most of his free (non-technology) time is spent on the golf course, attending Iowa State football games, or in Louisville, at the horse track or bourbon tasting. Cheers!

Listen to Eric teaching in this webcast: Cloud Security And DevOps Automation: Keys for Modern Security Success.

ADDITIONAL CONTRIBUTIONS FROM ERIC JOHNSON

WEBCASTS

Extending DevSecOps Security Controls into the Cloud: A Panel Discussion of the 2020 SANS Survey, Nov 2020

Extending DevSecOps Security Controls into the Cloud: A SANS Survey, Oct 2020

SEC510: Multicloud Security Assessment and Defense, June 2020

Winning in the Dark - Defending Serverless Infrastructure in the Cloud, June 2020

Defending Serverless Infrastructure in the Cloud, Feb 2020

Attacking and Defending Cloud Metadata Services, Oct 2019

Cloud Security and DevOps Automation: Keys for Modern Security Success, April 2019

Continuous Security: Monitoring & Active Defense in the Cloud, Aug 2018

Secure DevOps: Faster Feedback with Effective Security Unit Tests in CI / CD, Jan 2018

For additional webcasts prior to 2018, please review the SANS Webcast Archive.

PUBLICATIONS
Cloud Security and DevSecOps Best Practices poster

https://www.slideshare.net/pumasecurity/presentations


TOOLS & MORE

https://github.com/pumasecurity/

https://pumasecurity.io/

Eric's Contributions

Blog
Exploring the DevSecOps Toolchain
The authors of the SANS Institute's DEV540 Secure DevOps & Cloud Application Security course created the Cloud Security and DevSecOps Best Practices poster to help security teams create a methodology for integrating security into the DevOps workflow. As you can see, the poster breaks DevOps down...
Eric_Johnson_370x370.png
Eric Johnson
Senior Instructor
read more
Blog
Your Secure DevOps Questions Answered
As SANS prepares for the 2nd Annual Secure DevOps Summit, Co-Chairs Frank Kim and Eric Johnson are tackling some of the common questions they get from security professionals who want to understand how to inject security into the DevOps pipeline, leverage leading DevOps practices, and secure DevOps...
Eric_Johnson_370x370.png
Eric Johnson
Senior Instructor
read more
Blog
Taking Control of Your Application Security
Application security is hard. Finding the right people to perform application security work and manage the program is even harder. The application security space has twice as many job openings as candidates. Combined that with the fact that for every 200 software engineers there is only 1 security...
Eric_Johnson_370x370.png
Eric Johnson
Senior Instructor
read more
Blog
Continuous Integration: Live Static Analysis with Roslyn
Early in 2016, I had a conversation with a colleague about the very, very limited free and open-source .NET security static analysis options. We discussed CAT.NET, which released back in 2009 and hasn't been updated since. Next came FxCop, which has a few security rules looking for SQL Injection...
Eric_Johnson_370x370.png
Eric Johnson
Senior Instructor
read more
Blog
HTTP Verb Tampering in ASP.NET
We're only a few days into 2016, and it didn't take long for me to see a web application vulnerability that has been documented for over 10 years: HTTP Verb Tampering. This vulnerability occurs when a web application responds to more HTTP verbs than necessary for the application to properly...
Eric_Johnson_370x370.png
Eric Johnson
Senior Instructor
read more
Blog
Breaking CSRF: Spring Security and Thymeleaf
As someone who spends half of their year teaching web application security, I tend to give a lot of presentations that include live demonstrations, mitigation techniques, and exploits. When preparing for a quality assurance presentation earlier this year, I decided to show the group a demonstration...
Eric_Johnson_370x370.png
Eric Johnson
Senior Instructor
read more