In his current role, Eric focuses on creating modern security tools that fit into cloud-hosted and on-premise development workflows. Prior to Puma Security, Eric spent 5 years as a Principal Security Consultant at an information security consulting firm helping companies deliver secure products to their customers, and another 10 years as an Information Security Engineer at a large US financial institution performing source code audits. His journey into programming and automation started in high school learning BASIC and VB6 macros to automate mainframe collections and bankruptcy workflows. After automating a manual data entry process and increasing throughput by 500%, he was addicted. The sense of pride and accomplishment from taking a manual process and making it pain free drove him into this career path. Over the years, programming morphed into web development, security tools automation, and then into cloud infrastructure and systems automation.
After years of performing security assessments and writing audit reports, Eric saw the same fundamental mistakes repeatedly being made. At the time, Eric asked himself, “How can we detect these reoccurring vulnerabilities earlier and faster?” From there, he refocused his attention on integrating security into the development (application) and operations (infrastructure) workflows. Taking a decade worth of security experience with running and customizing security tools, he helped create more advanced tools to work in automated pipelines, produce machine readable results, and deliver actionable scan results. Puma Security applied the workflow to their cloud infrastructure, virtual machine baselines, application source code, and other areas of IT. Eric’s courses take this real-world experience and distill the lessons into an actionable workflow or methodology.
Eric’s cloud experiences range from performing cloud security assessments for customers and penetration testing cloud-hosted applications (containers, serverless functions), to building a 100% cloud-hosted company (Puma Security) from the ground up across both the AWS and Azure platforms. His primary focus is leveraging Continuous Integration (CI) and Continuous Delivery (CD) tools to build, monitor, and secure cloud infrastructure and applications. This relies heavily on writing infrastructure as code and automating cloud-based security scanners. Eric's team at Puma Security develops and maintains Puma Scan and an Azure DevOps cloud-hosted static code analysis extension for reporting vulnerabilities in automated build pipelines.
The SANS Application Security Summit in 2012 was Eric’s first exposure to the SANS Institute. In his own words, “The summit blew me away. Excellent speakers, real-world material, top-notch training. After spending time with the instructors and SANS staff, I knew I wanted to work with the SANS community. Fast forward to today, after authoring and teaching several SANS classes, it’s the best career decision I made. The learning never stops, and the fun never ends.”
Eric believes that anyone working in the Cloud & DevOps Security space faces the same challenge: the subject matter is massive and constantly changing. The number of public cloud services and tools available can be very overwhelming. The most important concept that he learned early on is not taking on too much at once. Improve and learn every day. Taking a smaller, incremental approach to learning helps one stay focused. Eric implements this approach in his courses, as they build up over the week, re-enforcing concepts with several hands-on exercises daily. After a full 5-day course, students look back, take pride in what they've built, and feel prepared to take on the challenges awaiting them back in the office, as well as in their future career.
Great courses are never done and great instructors never stop learning. The Cloud & DevOps space makes this easy. Services, ideas, and tools are constantly evolving. Teaching Cloud and DevOps material keeps the instructor on edge, requiring a unique blend of skills and experiences, along with constant maintenance. The backbone of DevOps is the development workflow. Spending a few years in enterprise level software and web development before entering information security put Eric in a perfect position to understand how DevOps can build security workflows. Experience with cloud architecture, security assessments, building automated security tools, and custom security automation at both the enterprise level and at small/medium-sized companies allows him as an instructor to ensure every student leaves with the knowledge they need to improve security in their organization.
Being part of the student's journey is the most rewarding part of teaching for Eric. He regularly receives messages from students around the globe – sometimes years later - thanking him for sparking an interest in a subject, motivating them to work on a project, telling him they received a promotion at work, or passed a certification exam. In receiving these messages, Eric immediately can visualize what classroom the student was in and where the student sat. This always brings a smile to Eric’s face.
Eric delivers security training around the world and has presented security research at conferences including RSA, BlackHat, OWASP, BSides, DevOps Days, fwd:cloudsec, JavaOne, UberConf, and ISSA. Eric earned a bachelor's degree in Computer Engineering and a master’s in Information Assurance at Iowa State University, and currently holds the CISSP, AWS Developer, GWAPT, and GSSP certifications.
When not securing The Cloud, Eric enjoys spending time with his wife and two children traveling the world and exploring new cities, especially during the cold Iowa winters. Most of his free (non-technology) time is spent on the golf course, attending Iowa State football games, or in Louisville, at the horse track or bourbon tasting. Cheers!
Listen to Eric teaching in this webcast: Cloud Security And DevOps Automation: Keys for Modern Security Success.
ADDITIONAL CONTRIBUTIONS FROM ERIC JOHNSON
- CloudSecNextSummit 2023 Co-Chair, Oct 2023
CloudSecNext Summit 2022 Co-Chair, May 2022
- CloudSecNext Summit 2021 Co-Chair, June 2021
- CloudWars Episode 1: The IAM Menace, March 2022
- CloudWars Episode 2: Attack of the Packets, April 2022
- CloudWars Episode 3: Revenge of the Hacks, May 2022
- Securely Integrate Multicloud Environments with Workload Identity Federation, Sept 2023
- WORKSHOP: Destroying Long-Lived Cloud Credentials with Workload Identity Federation, Oct 2023
- Breaking the Cloud Kill Chain, March 2023
- Where We're Going, We Don't Need Roads, June 2022
- Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments, Nov 2021
- Panel Discussion: Rethinking the Sec in DevSecOps: Security as Code: A SANS 2021 Survey, June 2021
- Rethinking the Sec in DevSecOps: Security as Code: A SANS 2021 Survey, June 2021
- Locking Down GitFlow with GitHub, GitLab, and Azure DevOp, (Cloud Security and DevSecOps Part 2 of 3), May 2021
- Multiple Clouds Require Multiple Solutions: AWS, Azure, & GCP - SANS @Mic, Jan 2021
- Winning in the Dark - Defending Serverless Infrastructure in the Cloud - SANS@Mic Tokyo, Dec 2020
- Extending DevSecOps Security Controls into the Cloud: A Panel Discussion of the 2020 SANS Survey, Nov 2020
- Extending DevSecOps Security Controls into the Cloud: A SANS Survey, Oct 2020
For additional webcasts, please review the SANS Webcast Archive.
- Inspection VPC Architecture, cheat sheet
- Secure Service Configuration in AWS, Azure, & GCP poster
- Cloud Security and DevSecOps Best Practices poster
TOOLS & MORE