InfoSec Career Podcast – Episode 7
Eric Johnson is a principal security engineer with Puma Security, a SANS instructor, and developer turned security professional. I originally met Eric in 2013 or 2014 and have worked with him off and on over the years. I wanted to bring Eric on to the show for several reasons. First, I was interested in hearing how he made the change to security while working at Wells Fargo. Second, he’s also started his own company and created a source code analysis application named PumaScan. Today he shares his experiences with us.
I tend to take notes during the show of things that stand out to me and here is what I wrote down while talking with Eric.
Passion helped him get that first security job. He didn’t feel like he did that well when interviewing for a security position at Wells Fargo, but the people interviewing him sensed his passion and gave him a shot at it.
Imposter syndrome was a hurdle. Seems like we all feel this at various points in our lives.
When you are starting out, think about what your goal is. Then orient your training and efforts towards that goal.
When learning a new technology or programming language, come up with a “project” that you would use this in. Focus your learning on building something, rather than going through exercises. I’ve done this a number of times. Very helpful.
PumaScan – 2015. Eric was embarrassed by the open-source offerings for static code analysis for .Net. He and a friend started working on a proof of concept to see if they could detect a bad security pattern in source code. The POC for Puma Scan was then submitted to AppSec USA. PumaScan’s first release was the open-source version, then they later added a commercial version.
Find a mentor to work with and talk with regularly. The best mentors seem to be folks we meet and build a relationship first. Then the assistance from them comes into effect.
Things Eric looks for in people he is hiring. Communication skills, people skills, writing skills. He also finds himself looking for people with skills that he doesn’t have.
Eric observes that he gets more value out of local events and smaller conferences where he can meet people. Large conferences are difficult to have this kind of interaction with just due to the sheer size.
Personal note – I need to do better in my local community.
Presenting on Defending Serverless Infrastructure in the Cloud at RSA in February.