Aside from expensive commercial static analysis tools, the .NET space has never had a reliable, well-maintained, security-focused static analysis engine. In early 2016, the Puma Scan team decided to leverage the power of the Roslyn API and address this gap. The Puma Scan team consists of application security experts and experienced software engineers with one goal in mind: helping your organization deliver secure software to the customer.

Project Team

Eric Johnson

Principal Security Engineer

Eric Johnson is a security consultant focusing on application security, including web and mobile application penetration testing, secure development lifecycle consulting, secure code review assessments, static source code analysis, and security research. Eric has presented his security research at conferences around the world including SANS, BlackHat, OWASP, BSides, JavaOne, UberConf, and ISSA.

At Puma Security, Eric serves as the project lead, writes static source code analysis rules, and contributes to the open source project.

Eric completed a bachelors degree in computer engineering and a masters degree in information assurance at Iowa State University, and currently holds the CISSP, GWAPT, GSSP-.NET, and GSSP-Java certifications.

Twitter: @emjohn20

Eric Mead

Principal Security Engineer

Eric Mead has more than 15 years of experience in software development, primarily in the financial and agriculture industries. His primary focus is the .NET framework, however, Eric has a considerable amount of experience in front end frameworks such as Angular and React. He has held positions as a software consultant, business intelligence developer and a senior software developer.

At Puma Security, Eric is a software architect, writes static source code analysis rules, and contributes to the open source version.

Eric holds a bachelor of science in computer engineering degree from Iowa State University, with emphasis in Software Engineering and Information Security.

Twitter: @eric.m.mead

Aaron Cure

Principal Security Engineer

Aaron is a security consultant and an instructor and contributing author for the DEV544 Secure Coding in .NET course. After ten years in the U.S. Army as a Russian Linguist and a Satellite Repair Technician he worked as a database administrator and programmer on the Iridium project, with subsequent positions as a telecommunications consultant, senior programmer, and security consultant.

At Puma Security, Aaron focuses on developing security rules, as well as leading research efforts for data flow and taint analysis.

Aaron holds the GIAC GSSP-.NET, GWAPT, GPEN, GMOB, and CISSP certifications and is located in Arvada, CO. Outside the office Aaron enjoys boating, travel, and playing hockey.

Twitter: @curea


Garrett Graham

Director, Sales & Operations

Garrett Graham is the Director of Sales and Operations at Puma Security, LLC. Garrett’s responsibilities include driving business development and the continuous improvement of our customer experience. Garrett holds the GSLC-Security Leadership and GISF-Information Security Fundamentals certifications.

Prior to joining Puma, Garrett worked at the SANS Institute, and supported the information security training initiatives of many technology, financial, healthcare, and retail companies. He has also worked for IBM’s Business Continuity and Disaster Recovery organization.

Garrett is a graduate of the University of Oklahoma and is originally from Dallas, Texas. He currently resides in Denver, Colorado.

Twitter: @ggraham32

Steve Kosten

Principal Security Engineer

Steve Kosten is a security consultant and an instructor for the SANS DEV541 Secure Coding in Java/JEE: Developing Defensible Applications course. He's previously performed security work in the defense and financial sectors and led the security department for a financial services firm.

At Puma Security, Steve oversees the Puma Scan project plan and leads process improvement initiatives.

Steve holds a bachelor of science in Aerospace Engineering from the Pennsylvania State University and a Master of Science in Information Security from James Madison University. He currently maintains GSSP-JAVA, GWAPT, CISSP, and CISM certifications.

Twitter: @skosten

Contact Us

Professional Edition

For questions about purchasing Puma Scan Professional support, please contact:

sales [at] pumascan [dot] com

Technical Questions:

For questions about the Puma Scan rules and documentation, please contact:

support [at] pumascan [dot] com

Follow Us Online: