How secure is your security? How can you ensure it is free from defects and critical vulnerabilities? In this episode, Derek Fisher, the author of the Application Security Program Handbook, shares how developers can position themselves to minimize risk in the space created. Derek tries to map everything back to risks in developing software to ensure security free from internal and external threats. He also highlights the threats you don’t know are the most concerning. With his skills in designing and implementing regulatory compliance systems and cutting-edge cybersecurity solutions to avoid security breaches, Derek has more gold to share in this conversation. So don’t miss out by tuning in as you gain more insights about mitigating unintentional insider threats!
Listen to the podcast here
Derek Fisher: Securing From The Inside Out
We will be bringing you the top experts in the industry for a chat about anything that is interesting in keeping our world secure. Speaking of interesting and keeping the world secure, we are excited to welcome Derek Fisher to the show. We are going in a little different direction than we have done before, but we are going to be talking about the things that we like to talk about because it’s why we do the show. Derek is the Head of Security at Envestnet, and an external advisor on Cyber DIA, the advisory board at Temple University.
In addition to being an adjunct professor, specifically talking about secure software development, he is an author, and we are going to dig into this a little bit too, Application Security Program Handbook, which is published by Manning. Those of you who read these things when we say, “Published by Manning,” that matters.
Previous lives, 25 years in the industry, he is a developer. This is a man who has mud and blood under his fingernails. We come into things talking about application security. Sadly, he’s not the guy who drained the three-pointer for the Lakers and the NBA playoffs a few years back, but if you want to ask him about it, he’s happy to talk about it. Derek, welcome to the show.
Thank you for having me on. I played basketball throughout high school but never made it to the NBA.
Not yet. Let’s talk a little bit upfront. I love to do the big, loud, and rowdy CV for the guests, but sometimes we have had people on the show that are involved with organizations that the audience may not know how much it matters to what they do. When we talk about Envestnet, it feels like they are one of the companies that people don’t realize how much what you do and what they do touch their lives. To get things going, what’s going on over at Envestnet?
Envestnet is a financial industry organization. Our bread and butter are in the advisor space, and what that means is that we provide applications and products to advisors for them to advise their clients on how to manage their money. We do that from the RIA (Registered Investment Advisor) level. We also do that at the individual level, whether it’s a retirement type of activity but the other part of the organization is focused on data aggregation. From a security perspective, that is always highly concerning. We want to make sure that we are providing the best in breed security tools, technology, and processes to those products that we offer to make sure that data is secure.
I love the notion that data is secure, given everything that we have seen going on over the last several years. When you look at this from your perspective, whether it’s the technology part, the human part, and even as we start looking at social media, how much when we talk about money? Where do you have to go? It’s such a huge conversation to be had. What is your responsibility for that? Your team, as you work out into the other areas of what’s happening, that’s serious.
One of the things that investment is striving for is focusing on piecing together all the different facets of the financial life for individuals. Not just your investments and your retirement but also, “Should I make this purchase on Amazon because how is that going to impact my long-term financial health?” What we are focused on is pulling data from a lot of different sources and actioning on that data.
From my team’s perspective, I run the product security team, which means that my team is focused on making sure that security is built into the applications that we deliver, whether it’s to advisors or end users. We make sure that in those areas where we collect that data and how we store that data, and how we act on that data, we have the right controls in place to make sure that workflow is secure as well as the data.
Digging into that, and let’s talk about your role there. This is what I like to call reading the internet. Part of your gig is to “develop a security group” to integrate security for a better flow of critical information across the investment product lifecycle. Did you explain that to me before that?
I can dig a little bit more into what that means. We have these products that we are delivering to advisors, clients, and so forth. My team’s job there is to look at the software development lifecycle and ensure that from soup to nuts that we are making sure that we have the right security controls in place. We can dive into that, what that means, and we do that through testing and integrating some of our scanning tools. We do threat modeling, risk assessments, and security training.
We provide security requirements, security reference architecture, and so forth. The goal of that is to ensure that we are building that security in to make sure that we are not coming in too late in the game. I can touch on more of that later on. We did the concept of what we call shift left, meaning that we are trying to get as far to the left in the development lifecycle as possible to make sure that we have those controls in place, identify issues, and fix them early on before they get out in production.
For those of you that are not familiar with the notion of shift left. Think of your high school algebra class where you’ve got zero on the timeline and the left of boom is where you want to be. Boom being at zero when something bad happens, Derek’s team is trying to make sure that they are always occupying a space left of boom, which means they have taken proactive steps to prevent the boom from happening because once it’s right off the boom, bad news.
Let’s dig into the idea of one of the things that we talk about on the show is the idea of threats. Insider or outsider but specifically to insider threats, whether they are witting or unwitting. Your team, what you develop, how does that create the space where you can minimize risk? You talked about that a little bit. What are the things that you guys are doing to put all of your developers in a position to make things that allow users of what you make not to have to deal with the right of boom?
There are a lot of different ways to phrase this. There’s the golden road, paved road or guardrails. It might be easy to visualize it this way because I often think about the software development life cycle and the development of code the same way that an assembly line is set up. You have an assembly line, and for those that are familiar with how assembly lines work, we can all visualize that where you have a bunch of different pieces that get put together, and at the end of that assembly line, you have a finished product. Building code is not much different these days in the sense that we have an assembly line and ways to integrate different components, whether they are internally developed or whether they are externally developed and packaged.
At the end of the day, you have a final product that’s polished and sent out to production. What my team is focused on is making sure that the assembly line, and the different components aren’t falling off the assembly line or that we are picking subpar products and building the final product with subpar products. In the case of security, making sure that they are not compromised products or malicious products.
We are verifying that all the steps along that assembly line have integrity and that the finished product is as secure as it possibly can be. We can do that primarily through pushing tools into that development life cycle by making sure that we are tightly coupled with the development team. Sometimes that means joining teams and being part of that. Sometimes that’s by creating grassroots security people within the development team to make them champions of security for that team. There are a lot of different ways that we can try to integrate that security in that assembly line to make sure the final product is not compromised.
When you are doing these things, there is a lot of responsibility on you and your team for the idea of leadership of bringing into this type of security if someone gets beat. If it’s an unwitting internal thing and they go back to the SBOM, the Security Bill of Materials, and they look back and say, “These guys did this thing.” You are like, “We didn’t. Our stuff is tight.” How do you have that conversation to say, “We are doing everything we can to do this thing,” and sometimes you get beat? Is that part of what you and your team have to deal with?
I always try to map everything back to risk. There’s a risk that is inherent to what we developed from a coding perspective. When I say risk, it doesn’t mean security risk. There’s a risk to the business. There’s a technical risk. There’s a risk of us missing a deadline and taking a bath in terms of money or clients expecting a certain deliverable in a certain time, and if we don’t make that deadline, there’s a risk to the business. The business bottom line for things like that.
I always try to map everything back to risk, and we have to be willing to accept a certain level of risk when we develop software. That’s the nature of what we do. Our goal is to minimize that risk. The other thing for myself and the rest of my security organization is that it’s about identifying risk. The risk that you don’t know is the one that you should be the most concerned about.
The risk that you don’t know is the one that you should be the most concerned about.
The risk that you do know is easy to measure and manage because you are aware of it. You know it’s there. You can put your monitoring tools around. Get your security team and focus on that area but it’s when you can identify the risk. That’s where you are going to have a bad day. In a lot of what we do, my team is focused on getting that visibility and understanding where our risks reside and what compensating controls we can put in place to make sure that those risks are not manifested.
As we wanted to do, we have already blown up most of the agreed-upon scheduled questions to ask because you keep having these fantastic answers like, “What about this?” When you and your team are in the development process, you are thinking about what you need to make but also risks and all of the variables. How do you stay tight to the notion of development knowing that you are delivering a product as advertised to be secure and keep people from making the mistakes that allow for insider threats to happen but you don’t know what you don’t know? You work off of what is in place but also have to consider every possible variable, which is a ridiculous level of responsibility, especially when it comes to other people’s money.
It’s funny because I have had numerous variations of this question thrown in. The way I view it is that my team and I have said to even my leadership that I can’t build a team big enough to be able to cover the entire SDLC (Software Development Life Cycle) across any company. You ask any other person that’s in my position, and they will tell you the same thing. I could have a team that’s 4 to 5 times the size of my team, and it still wouldn’t be enough.
“Give me a $1 billion budget for personnel, and I’m going to ask you for another $1 billion, so we can cover what you want.”
The way we try to square that is by ensuring that we have that left-shift mentality and that includes not making sure that the developers are equipped to be able to manage their own security but that we also have security-minded people that are embedded with those security teams or with the development teams.
That doesn’t necessarily mean my direct reports or my indirect reports but it’s raising the security awareness of the development teams so that they are enabled to know and identify security risks early on so that they can fix them. A lot of times, I have used the phrase, “I want to make sure that my team or that secure SDLC concepts are between the developer’s fingers and the keyboard.”
That means that’s where code is being written. That is where we need to make sure that the developer has the confidence to be able to develop code that delivers the feature that the business is looking for but does that in a secure manner. My team coming in anywhere beyond that is already too late. Building that culture of security and building security-minded people within those development teams is the only way to tackle that risk early on.
As you are building these solutions, how much do you take into account the idea of the insider threat, the human element, because that is the definition of chaos? It is hard to code. It’s hard to algebraically or mathematically break down into a thing because people, by nature, are emotional. We are mental and everything but math. You are providing tools to keep things safe and secure. Can you account for that as you develop new things?
There are ways to do that. One of the ways to tackle that is by peer review and making sure you are talking about specifically trying to manage the insider threat by doing peer review, code reviews or having a workflow that allows for more eyes to see the code before it goes into production. That’s going to get you the biggest bang for the buck. However, the problem with that is that it doesn’t scale very well. We can see a parallel to that in the open-source community, where the concept of open-source code is that there are one million eyes on it.
Therefore, it’s very difficult for someone to slip something in there that’s going to go under the radar. Not that hasn’t happened in the past or not that can happen. I’m drawing a blank but someone was able to modify the Linux code and create some chaos. It does happen in the open-source community.
However, the concept of making your code visible to more people limits the opportunity for someone to slip something in that gets under the radar.
When we think about insider threat from a developer point of view, we are talking about things like back doors or somebody exfiltrating data, siphoning data out in production and sending it to a server that they own for purpose of dumping that data later on or for the potentially holding a kill switch in case. Something that they get fired, and they want to make sure that the application goes down in production if they get fired.
There are a lot of different ways that somebody can slip something into the code from an insider perspective. Some of those things can’t necessarily be caught by scanning tools, some may but ideally, you would have a method to ensure that the integrity of that code is kept. The best way to tackle that would be through some type of peer review.
You have a book.
It’s pretty exciting.
It was painful but exciting.
Says every parent about anything they have ever burnt.
I was talking to somebody about that and they were like, “Would you do it again?” I was like, “I don’t know.” I’m sure I would sign up for it and then myself about two months into it.
“I had this idea that I had to get out, and then 700 pages later, it was awful.” It’s the Application Security Program Handbook. It is available from Manning Press. Please get it because you should. This is a terrible Good Morning America question but let’s go with it upfront. Why is application security important to modern software? We will dig into all of the tell me about your mother questions that will happen after that.
“The easiest way to think of why application security is important is the fact that every company is a software company.” I didn’t come out of that quote. There have been variations of that phrase being tossed around for a very long time. If you look at companies like Microsoft, Google, and so forth, they are software companies. They develop software. However, when you look at companies like Sherwin-Williams, the paint company, they are a software company. They have software they rely on to manage their inventory to help with marketing and help with new ideas. Uber is a ride-share company but they rely very heavily on the software that they use to run its business.
That’s to say that even if the company’s core function is not in the software business of creating software and delivering that to end users or clients, the company is still a software company. This means that the security of that software or the application security is paramount to those organizations to ensure that, number 1) Their client’s data is safe. Number 2) Their applications are trusted and don’t fail when they are needed.
A lot of times, if a company is using a third party for their software, they may say, “That’s not our problem. It’s not my software. I didn’t write it. It’s not my problem.” For anybody that’s worked in operations or has worked in a software organization, if you develop software and give that to your end user, when the end user runs into a problem with your software, even if the component that they are having problems with is written by a third party, it’s still your software.
They don’t care how the pieces are put together. All they know is that your software is broken. It doesn’t matter whether that part of the application that is broken was written by a third party or not. Most organizations need to be concerned about the security of their application and data because data is a new commodity. Regardless of what platform we are on, we are the product. By we, I mean our data is the product. It’s bought, sold, and traded on a daily basis by a lot of the big organizations. Even smaller organizations are grabbing a piece of that so that they can figure out how to market, they can figure out how to optimize their products and so forth. Regardless of whether you are a landscaping company or Microsoft, you are a software company.
I would like to thank you for talking me out of repainting my upstairs hallway by opening with Sherwin-Williams. I don’t need threat actors, nation states or organized crime, knowing now we have paint on his walls. We are going to be able to duck all the data out of there. Everything makes me nervous anymore, which is probably not the best space. Is that a good space or a bad space to occupy?
I was in a threat modeling training session. I will never forget the guy that was leading the session mentioned that he was at a hotel, and you know how they have those shampoo dispensers in the shower. He said that he went down to the front desk and told the person at the front desk, “What if somebody put hair removal in that shampoo dispenser.” The person behind that desk was like, “Why would somebody do that?” He’s like, “I don’t know but somebody could do that.”
It’s that paranoia that runs through security people. He wasn’t paranoid about it but it was that mindset of constant threat awareness and situational awareness of like, “How can this go wrong? How can this blow up?” It’s good for those that are in security to have that mindset but it is exhausting to wonder whether that soap dispenser is going to have hair removal.
I am shocked at this point that no one has ever hacked a major hotel chain and dumped thousands of gallons of Nair into either body wash or shampoo that is in the shower.
I would like to think that that’s not what happened to us.
Several years for me. I’m not sure how long for you but I will tell you this, we are very handsome. Let me ask you this. I’m not looking for specific technologies but we have seen some evolution in the security industry over the last several years. It doesn’t have to be specific to AI, blockchain or anything like that.
As you are leading teams that are developing things when new technology comes along, whether it’s useful or it’s more fashionable, what is your reaction to that as the team lead? Do you want to continue to build on the things that you have been doing? Are you aggressively embracing new things? Are you dubious about them? Option four being, “We will see.” How do you know what to grab and what to say, “We have been doing this thing, and this thing is good. We are going to keep doing this thing?”
For my team, from a product security point of view and building a secure software development life cycle, my answer is probably a little bit different than those that are in the security operation center or network security, where there is a tendency to go after the newer technology much more rapidly. It’s not that we are laggards or anything like that. It’s more, for my team, it gets down to blocking and tackling. My team’s function is to focus on making sure that the developers are writing secure code as opposed to, I’m going to probably catch flack for this but go out and get the next greatest blinky box and put it in the network.
Go out, get the next greatest blinky box, and put it in the network.
There’s some merit in both. There is a need for technology to constantly improve, get better, and make sure that we are addressing the current threats that are seen from a network and operational perspective. From the security development perspective, it hasn’t changed much. We have ways to scan code. There have been some improvements in that space in terms of getting better speed on scans and things like that.
There are new technologies from an application protection standpoint. It comes down to making sure that we are giving the developers the tools that they need to not write vulnerabilities in the first place. That is our core function. You can’t put a blinky box on the network to solve that problem. You have to work tightly with the engineering teams and make sure that they are equipped with the tools that they need to make sure that they are not running those vulnerabilities.
With all that being said, one of the challenges that we have with Secure SDLC and creating a security and development lifecycle is keeping up with engineering. The technology on the engineering side is constantly changing. In most organizations, you are not going to have a unified development platform. You are going to have teams that develop code in dozens of different ways. Our challenge is making sure that we not only have tools that can work across all those different tech stacks but that the application security team is also well-versed in those tech stacks so that they can respond and help those engineering teams work through the security issues they might find.
Let’s flip that now from the realm of the 1s and 0s. You also are an instructor at a legendary American University Temple in Philadelphia, shout-out to the Owls, which gives you access to the human element. The beauty of our industry is that it runs the gamut from kids to people that are transitioning out of previous things, whatever the definition of older people is anymore. You get to see an audience and talk about the notion of security. The philosophy but also the construction of it. I will ask two questions at the end of this very long-winded preamble. What do you get to see that are the good things and the not-so-good things when you survey the students in your classes?
The most positive thing that I have seen in the class that I teach is that the class is always full, and there’s always a waitlist. It had gotten so bad or good that I started a second section which immediately was full and on a waitlist. What that tells me is that either I’m easy for the course or that there’s a desire to learn.
You are going to RateMyProfessors.com.
That’s a very positive thing, and one of the things that I usually wrap up the course on, whether it’s at the end of the semester or throughout the course, is setting yourself aside or setting yourself apart from all the other software engineers that are coming out of whichever university you are coming out of. Setting yourself apart from them with this security knowledge is going to make you more marketable to the organizations that you want to go into. I truly believe that in my heart, that’s what the value of the course is. We churn out software engineers and developers at a very high rate.
Setting yourself apart from all the other software engineers from whichever university you’re coming out of, with this security knowledge, will make you more marketable to the organizations you want to enter.
There’s no shortage of Java, dot-net or Python developers but those that have that expertise and security on top of it are going to be able to set themselves apart. That’s critical for those that are trying to get into the field. As far as maybe not so good, I was trying to think about this earlier and honestly. I don’t know. I don’t see a whole lot of downside. Perhaps there are some, at least, in the course that I teach, you will see people that are truly engaged in the security space. Maybe that’s a quarter of the class, whereas the other ones it’s electives. They are maybe there to fill an elective.
They take a Cybersecurity Development course as an elective because it’s either that or a non-Western SIP. I don’t think that happens a whole lot. People are coming to you because they want to.
That’s what I would like to think but it would be good to see that. In my course, there’s maybe a quarter or a third of them that you could tell that they are security minded. This is what they want to do. They want to get into security. Maybe I would like to see that number go up higher where it’s a higher number of individuals that are there for the purpose of learning security. Not for the purpose of avoiding the basket weaving elective.
I don’t think this is the one that the jocks are taking to make them eligible. I didn’t go to the Temple. I went to a small engineering school in the Midwest in 1989 or whenever I was there. Filtering your view through the present. That’s the interesting thing about what you are doing. You are down in the development thing but you are also standing in front of a room full of students seeking knowledge from you.
What do you see for the near and midterm future that are your concerns with regard to security? You are literally a guy who makes the bricks that build the building but you are also teaching people who want to know how to make the bricks. You’ve got unique or two different perspectives on what is happening for what is about to happen.
Tying into what I said about data being a commodity. That’s where we are going to be putting a lot of focus on forever. Going forward, as far as I can see, we are in the business of collecting data whether we need it or not. One of the things that I point out in the course is that a simple question that you can ask yourself when you are developing these applications that collect data is, “Do I need this?” I see this in most organizations I have ever worked in. We have collected data for the purpose of the eventual need for it.
We say, “We might need this down the road, and so therefore, we should collect it.” That’s not always the right approach. Data security is by far going to become not that nobody is paying attention to it now because that’s a core function for a lot of security teams. What’s going to continue to be a heavy-hitting security concern is how we tighten up our security controls around data. We all know that we are paying attention in the security space. Every day there’s a new breach.
I had the chuckle because one of the podcasts I listened to was recommending some company that does data or some company that does identity protection stuff and said, “You can check to see if your data has been breached.” It’s like, “I can already answer that for you. It has.” I don’t think any of us have been spared a breach.
Electricity is on. We are plugged into the internet. I’m pretty sure we have been breached. Let’s bubble over to the leadership corner, and these are a few of the questions that we ask every guest, and I love to hear the answer because they never match. It gives us an idea of other things that we should be considering. For you, is there anything that has caught your attention, maybe in your peripheral vision, that you think maybe it’s worthwhile to be a little more of a primary focus? It doesn’t have to be a specific product, company or anything like that but the idea of why aren’t we thinking a little bit more about X.
One of the things that I have been keeping my eye on, and it’s not a new concept by far but it’s something that is gaining more traction, is what we call Application Security Posture Management or Application Risk Posture Management, ASPM or ARPM. This isn’t a new concept but application security teams have started to leverage more tools and have a very jagged set of technology, and the stacks that they are trying to protect create this disjointed view of the landscape.
What I mean by that is that for any large organization that has many business lines and many products that they deliver, you are going to have multiple scrum teams. Under each one of those, you are going to have a lot of different pipelines, and security tools are going to be plugged into each one of those.
Getting information out of those often means going to the specific tool to get that data going over to this specific tool over there to get the data related to SaaS and over there for SCA and over here for DAST.
By the way, your threat models are kept over here in this location, and then you are tracking your vulnerabilities in some defect tracking tool. What that ends up looking like is a bowl of spaghetti. You have all these different threads all over the organization that you are trying to pull and tease out like, “What does our actual application security posture look like?”
There are tools out there that will help pull that together. You can think of it as a dashboard type of thing where you are pulling in all that data into something that it’s a view into where your applications or security posture looks like. You can also roll that up to the higher level and executive level for a better view for them as well. It’s not a new concept but it’s starting to gain a lot of traction, and I know that that’s a pain point for myself and a lot of my peers.
Vinyl is not a new concept but it outsells CDs these days because it’s better. To you, not legendary Los Angeles Lakers, Derek Fisher, back into specifically leadership corner, what’s going on with you? What are you listening to? What’s on your playlist? Are you reading anything? Is it magazines on the toilet? Is it books sitting on the coffee room table? Are you out hang gliding? What’s going on?
Since I wrapped up the application security program handbook.
That’s the next segment.
I know but I haven’t had much time to read. I have been doing too much time.
“I’m too busy writing books to read them.”
I’m a podcast junkie. I listen to everything from politics, finance, security, and so forth. I do listen to a lot of podcasts. I read some technology reviews or some other magazines. I did pick up a book because I needed to take a break from writing. It’s called The Perfect Weapon, which is about the advanced persistent threat landscape. That has been fairly interesting.
This is not the direct-to-video Jeff Speakman 1992 action classic The Perfect Weapon.
No. I try to vary my reading as well because all of us need to step back occasionally and get some good quality time with a good novel here and there. I try to do that as well. Whether I’m reading cyberpunk or classic novels to break away from the constant tech reading. I like to cook. One of the things that I would like to do when I get home from work is throw down in the kitchen for a little bit because it’s a good way. I like working with my hands because being in the office all day, being on calls and getting peppered questions all day is exhausting. Being able to come home, put your head down, cook for a little bit, and work with your hands is always therapeutic.
I am so glad that you closed with that because you stole the question I was going to ask where I was going to say bluntly, “What do you like to eat?” The fact of cooking and working with your hands when you get a chance to get some vegetation, meat, and oils under your fingernails, what are you cooking? What are you eating?
A little-known secret. I used to cook. I was a cook in a restaurant. When I was in high school, I worked in an Italian restaurant for a long time. I was double dutying between Hardware Engineering, and in the evenings and weekends, I was working in the restaurant. I still have a soft spot for cooking Italian, but I have been starting to cook a little bit more Asian food. I like to eat Asian, Chinese, Thai, and Japanese food as much as possible. I’m not picky. I will go vegetarian sometimes. I will cook whatever I feel like making that night. I’m not the world’s greatest cook but I can make something respectable.
As long as you put the effort into your heart. Last weird question, what’s the sneaky best spice, season, or flavoring agent when you are cooking? You are like, “What’s good in this is paprika,” or something.
I was about to say that. Paprika goes a long way. It always comes down to the basics. Salt, pepper, garlic, onion, and paprika. I’m not shy with the cayenne to make sure that it gets a little kick to it. I like spice, so I’m not afraid of spice. If I’m cooking for other people, I occasionally get looks like, “This is a little too spicy.”
Now we know what’s going on in the Fisher household. If you ever get invited over for dinner, make sure you bring some milk with you. Let’s get to it. Shameless plugs. You got to tell me about the book. You got to tell people about what’s going on with the company. Anything if you are speaking anywhere, blogs, and all of that stuff. This is why I’m going to try to be quiet even though it’s hard for me to do, but if people look for you with all the things you have going on, where can they go?
The best place to find me is on LinkedIn. I try to be as active there as possible. I try to connect with people by messaging. Reach out to me. I get all kinds of questions. I’m always there to try to help as much as possible. I wrapped up the book, I haven’t been as active but I’m trying to get back out there. I have a YouTube channel. It has been dormant while I was writing but I plan on coming up with some additional releases. The book is out there on Manning. It should be available on Amazon soon. It’s called the Application Security Program Handbook. I also wrote a children’s book series on cybersecurity as well. Two of the books are out there on Amazon.
Wait, for an entire prep call, you never brought that up once.
That’s my bad.
It is your bad. It’s not 1 book but 2 books.
The third one is coming out here. It’s for elementary-age children who are learning about technology. It’s called Alicia Connected. It’s about a girl who gets her first tablet and works through social media and the pressures of technology for children of that age. That was my first actual published book but it was self-published, not through a publisher. The third one is written. I’m working with the illustrator to get the illustrations done.
You are literally building the defense of insider threats at the children’s book level, and we talk about this in the final 90 seconds of the interview. I’m embarrassed as a host. This is information I should have had. This is the worst. This is why you have to come back, and it’s going to be you, me, and twelve third graders as we talk about the notion of cybersecurity.
I have done plenty of talks at schools and libraries. I’m always open to doing that because if I can get between the developer and the keyboard, then I’m doing my job right. The best way to do that is to teach them early on.
I’m doing my job if I can get between the developer and the keyboard. The best way to do that is to teach them early on.
The Berenstain Bears do cybersecurity. This is what we do. I can’t believe that we are getting to this now. In LinkedIn, that is where we know that you are. One more time. The book, Application Security Program Handbook, is available from Manning Press and also at Amazon. Any parting shots? Any last thing that you want to yell at the world and say, “We have the most powerful cybersecurity podcast?” Probably not this one but it is one. One more thing.
No, I’m good. I appreciate this opportunity to discuss this topic. We are continuing to fight the good fight, so I appreciate the opportunity to be able to talk about it.
We are coming back to talk about the children’s books because I’m utterly humiliated that I didn’t know these things.
You can grab it on Amazon too.
There we go. Shameless plug. That’s the biggest thing. All of our guests are filled with shame and remorse. They never want to talk about themselves, and I have to yell about them like I’m Vince McMahon on WWE. That is it for now. I want to offer this reminder, and I’m going to say this condescendingly but please don’t hold it against me.
All comments reflect the personal opinions of the participants and not necessarily those of their employers or organizations. Thank you for joining us on the show for more information on all that’s good in the world of cybersecurity. Make sure that you check us out. You can find us on LinkedIn and Facebook, as well as the mothership, ElevateSecurity.com.
You can find me, @PackMatt73, across all of the socials. As far as the show goes, anywhere you go for your show, that’s where we are. All we ask is that you subscribe, rate, and review. You will never miss a thing with all the cool stuff that the great folks in the security world are doing to protect organizations, employees, and users from the bad guys but also from themselves. That’s why we bring in people like Derek when he is not draining three-pointers to win the NBA title. He’s doing good stuff. He’s writing children’s books, and he’s teaching students and runs teams that make sure that all of the applications are good. We will see you next time.
- LinkedIn – Elevate Security
- Facebook – Elevate Security
- LinkedIn – Derek Fisher
- Application Security Program Handbook Published by Manning
- Application Security Program Handbook on Amazon
- The Perfect Weapon
- Alicia Connected
- @PackMatt73 – Instagram
About Derek Fisher
Derek is an award-winning author, university instructor, and leader in cybersecurity who began a career in hardware engineering designing circuit boards for commercial and military applications. Looking to expand his knowledge and build on the hardware engineering practices, he pursued a degree in software engineering and soon entered the field as a software engineer.
Security quickly became a passion leading to a master’s degree in cybersecurity and a career solving complex product security challenges by developing and implementing an information security program/strategy for software products, including procedures and policies designed to protect from both internal and external threats. He is skilled at designing and implementing regulatory compliance systems as well as cutting-edge cybersecurity solutions to avoid security incident breaches, maximize privacy, and streamline procedures while bridging divides.