BREAKING DEREK FISHER: VP OF APPSEC AT ENVESTNET  •  AUTHOR OF THE APPLICATION SECURITY PROGRAM HANDBOOK  •  PROFESSOR AT TEMPLE UNIVERSITY  •  PUBLISHER OF SECURELY BUILT NEWSLETTER  •  CISSP + CSSLP CERTIFIED  •  SPARTAN RACER  •  TEACHING KIDS TO LOCK DOWN THEIR APPS  •  "WE'RE HERE TO MANAGE RISK - NOT BE THE TEAM OF NO"  •  30 YEARS ENGINEERING. NOW BUILDING SECURE SOFTWARE.  • 
Derek Fisher - AppSec Leader

Derek Fisher - VP AppSec, Author & Educator

SECURELY BUILT

DerekFisher

The guy who makes security make sense - for engineers, executives, and eight-year-olds.
VP AppSec Author Professor Newsletter

Nearly three decades of engineering experience. A hardware background that spans commercial circuits to military systems. A pivot into software. Then another pivot - into the work that actually needed doing. Derek Fisher is the Head of Product Security at Envestnet, an application security instructor at Temple University, and the author of the field's most practical handbook on building security programs from scratch. He doesn't preach from a mountaintop. He builds.

Envestnet Temple University Securely Built Manning Publishing ISC2 Speaker CISSP • CSSLP
30
Years in Engineering
2
Books Published
2
Elite Certifications
1
Newsletter You Should Read
THE FULL STORY

From Circuits to Cyber

Before there was AppSec, there was analog. Derek Fisher started his career designing circuits - real ones, for commercial and military applications. Then came the pivot to software development, and then the pivot that would define everything: an encounter with a product security officer at Siemens that changed his trajectory entirely.

That meeting sent Fisher to Boston University for a master's degree in cybersecurity, and kicked off a focused career building security programs inside some of the most demanding sectors in tech - healthcare and financial services. Not advisory roles. Actual, operational, team-building work. He has seen security successes and failures from the inside.

That firsthand experience became his credential. Not just the CISSP or the CSSLP, though he holds both. The credential is knowing exactly how a vulnerability lives in a codebase from the moment a developer writes it to the moment it gets exploited - and building systems that interrupt that journey.

"Product security is the umbrella that application security and DevSecOps fall under." - Derek Fisher

At Envestnet, a global fintech firm, Fisher leads that umbrella operation as VP of Application Security. His job is not to say no. It is to make secure practices so embedded in how engineering teams work that the question of "is this secure?" becomes as automatic as "does this compile?"

CERTIFICATIONS

Credentialed. Twice.

CISSP
CSSLP

Certified Information Systems Security Professional + Certified Secure Software Lifecycle Professional. Few people hold both. Fisher does.

CAREER CHAPTERS
1
The Engineer

Hardware. Circuits. Military-grade systems. A foundation in how things actually work before he ever wrote a line of application code.

2
The Pivot

One conversation at Siemens. One product security officer. One decision to go back to school for a master's in cybersecurity. The rest is industry history.

3
The Builder

AppSec programs built from scratch. Teams hired and mentored. Fintech. Healthcare. Now Envestnet. Always building - never just auditing.

THE DEEPER CUT

Security Without the Sermon

There's a particular failure mode in security leadership that Fisher has built his career avoiding: the instinct to become the department that says no. Every security team eventually faces this gravity. The engineering team wants to ship. The security team sees the risks. The meeting happens. Nothing gets built. Everyone leaves frustrated. Fisher calls this out explicitly - the job is to manage risk, not to be a blocker.

His approach at Envestnet reflects this. Product security, in his framing, is not a checkpoint at the end of the development cycle. It's a function that lives inside the software development lifecycle from the start - embedded in the architecture conversations, the threat modeling sessions, the sprint planning. DevSecOps is not a buzzword in his world. It's a description of how the kitchen actually runs.

That philosophy is what drove him to write the Application Security Program Handbook, published by Manning. The book does not assume you already have a mature security program. It starts at zero and walks engineering leads and team leaders through building something real - reproducible, scalable, and actually connected to how software gets built in 2024. The foreword was written by Matt Rose, Chief Architect at Bionic and former leader at Checkmarx and Fortify - a signal of the book's credibility in serious practitioner circles.

Fisher's instinct to translate complex security work for broader audiences didn't stop at the practitioner handbook. He also wrote the Alicia Connected series - a three-book cybersecurity education series for children aged 6 to 10. The inspiration was personal: raising his own daughter as a digital native, he saw an opportunity to give parents and kids a way to understand technology safety before the threats arrived. Not every AppSec leader writes picture books. Fisher does.

At Temple University, he brings this same translation instinct to undergraduate and graduate computer science students. He teaches software security to people who are still forming their mental models of what secure code looks like - building the next generation of engineers who will not need to be told that security matters, because they already understand why. He also serves as an advisor to Temple's CyberDIA PSM program.

His Securely Built newsletter on Substack extends that reach further. The newsletter covers application security and product security topics with the clarity of someone who has been in the room when things went wrong and knows exactly how to explain the lesson afterward. Recent coverage has included prompt injection attacks in GitHub Actions that expose API keys from AI coding tools - the kinds of real-world, immediate threats that security newsletters should cover.

Outside of work, Fisher runs Spartan Races. Obstacle courses. Fire. Barbed wire. The same methodical thinking that builds enterprise security programs also, apparently, keeps him moving through mud and over walls. The crossover makes a certain sense: Spartan Races, like AppSec programs, require showing up prepared, trusting the process, and finishing even when conditions are not ideal.

Key Roles
  • VP of Application Security, Envestnet
  • Professor, Temple University (undergrad & grad)
  • Advisor, Temple CyberDIA PSM Program
  • Author, Manning Publishing
  • Publisher, Securely Built Newsletter
  • Instructor, Udemy
Education
  • M.S. Cybersecurity - Boston University
  • B.S. Computer Science
Expertise
  • Application Security Programs
  • Product Security Strategy
  • DevSecOps Integration
  • Threat Modeling
  • Vulnerability Management
  • Security Team Building
  • Secure SDLC
  • AI Security Risks
TIMELINE

The Path That Got Here

Early Career
Designing circuits for commercial and military applications - hardware engineering before software was even the plan.
Software Pivot
Earned a Computer Science degree and transitioned from hardware to software development. The engineering mindset stayed.
The Siemens Moment
Met a product security officer at Siemens. One conversation that changed everything - led to pursuing a Master's in Cybersecurity at Boston University.
Healthcare & Fintech
Built and matured information security teams in healthcare and financial technology organizations. Hands-on AppSec leadership at scale.
2020
Published the Alicia Connected children's cybersecurity book series - three books for ages 6-10, inspired by raising his own daughter in a digital world.
2022
Published Application Security Program Handbook with Manning Publishing. Foreword by Matt Rose (Bionic, formerly Checkmarx, Fortify).
Envestnet
Joined Envestnet as VP of Application Security - leading product security for a global financial technology company.
Ongoing
Teaching at Temple University. Publishing Securely Built on Substack. Speaking at ISC2 and industry events. Completing Spartan Races.
PUBLISHED WORKS

Written in the Field, Not on the Sidelines

PRACTITIONER HANDBOOK
Application Security Program Handbook

A step-by-step roadmap for building and maturing a comprehensive software security program. Written for engineers and team leaders who need to actually do the work - not just read about it. Foreword by Matt Rose, Chief Architect at Bionic.

Manning Publishing, 2022
CHILDREN'S SERIES
Alicia Connected

A three-book series on safe technology use for children ages 6-10, written as Fisher raised his daughter as a digital native. Award-winning. Because cybersecurity education starts before kids start coding.

Three-book series • Ages 6-10
IN HIS OWN WORDS

What Fisher Says

Product security is the umbrella that application security and DevSecOps fall under.
- Derek Fisher, NetSPI Podcast
We're here to manage risk and vulnerabilities, not to be the "team of no."
- Derek Fisher
Every company is a software company.
- Derek Fisher
Understanding actual risk versus tool-reported risk is critical for balanced decisions.
- Derek Fisher
SCRAPBOOK

Facts Worth Pinning

01
Started his career designing circuits for military applications. The jump to software was planned. The jump to security was a conversation at Siemens.
02
Holds both CISSP and CSSLP - two credentials that are each significant on their own. Holding both simultaneously is rare territory in the field.
03
He wrote a children's cybersecurity picture book series before finishing his industry handbook. The kids needed the intel first.
04
Competes in Spartan Races. The VP of AppSec at a global fintech also runs obstacle courses over fire and under barbed wire. The mindset scales.
05
His Securely Built newsletter has recently covered prompt injection attacks stealing API tokens from Claude Code, Gemini, and GitHub Copilot via GitHub Actions. Current. Relevant. Useful.
06
His Application Security Handbook's foreword was written by Matt Rose - former leader at Checkmarx and Fortify. In AppSec, that's like getting blurbed by industry royalty.
FIND HIM

Where to Follow Derek Fisher

👥
LinkedIn
derek-fisher-sec-arch
 📰
Newsletter
Securely Built on Substack
 🌐
Website
securelybuilt.com
YouTube
@securelybuilt
Bluesky
@securelybuilt.bsky.social
 📚
The Handbook
Manning Publishing
 🏫
Udemy
AppSec Courses
 📗
Amazon
All Books by Derek Fisher
SHARE THIS 👥 LinkedIn 🐦 X / Twitter 👤 Facebook