Derek Fisher

Derek Fisher has over twenty-seven years of technical experience in both hardware and software engineering while working in various companies and industries. Through his work in security as a developer, architect, and leader, he has provided his insights at development organizations attempting to create more secure code. Today, he performs many roles, including security evangelist, architect, mentor, speaker, and instructor, where he attempts to bring more secure development to the organizations he works with.

books & videos by Derek Fisher

Modern Threat Modeling for Cybersecurity

  • Course duration: 2h 57m

Learn to use threat modeling in cybersecurity, and get equipped with advanced skills for safeguarding systems amid ever-evolving cyber risks.

From unraveling the graphical representation of attack trees to seamlessly integrating continuous threat modeling into CI/CD pipelines, this course offers pragmatic insights and hands-on demonstrations. Master the art of navigating Threagile's YAML files to automate threat detection and craft tailored mitigation strategies to dynamic risk landscapes. Explore the unique challenges involved in securing cloud environments, dissecting complexities in identity management, configuration security, and shared responsibilities. Leverage the Cloud Security Alliance's innovative threat modeling cards, enabling visual insights into threats, vulnerabilities, and controls specific to cloud-based systems.

This course provides a holistic perspective on threat-modeling methodologies, so you can elevate your security prowess, fortify systems against emerging cyberthreats, and proactively integrate security best practices into development life cycles.


Distributed by Manning Publications

This course was created independently by Derek Fisher and is distributed by Manning through our exclusive liveVideo platform.

Application Security with the OWASP Top Ten 2025

  • Course duration: 2h 13m

Software is integral to businesses large and small. Software provides a means to track employees, customers, inventory, and scheduling, and allows data to move through a myriad of systems. Whether built in-house or purchased elsewhere and integrated, software applications sit at the core of every organization, regardless of size and industry.

And every one of those software applications needs securing!

In this quick guide to application security, we cover what’s in the OWASP Top Ten, the most up-to-date guide to the most critical security risks for web applications. We’ll go over what makes software vulnerable and how to protect applications from attacks to these vulnerabilities. We’ll talk about cryptographic failures, insecure configuration, how to maintain software integrity, what injection attacks are, and the common terms and security goals used in every organization. You’ll learn some of the basic ways to bring application security into the software development lifecycle, both from a traditional pipeline and from a DevSecOps perspective.


Distributed by Manning Publications

This course was created independently by Derek Fisher and is distributed by Manning through our exclusive liveVideo platform.

A Complete Plan for AI Security

  • Course duration: 5h 28m

Traditional application security focused on SQL injection and buffer overflows. But now that AI systems autonomously make decisions, generate content, and interact with critical infrastructure, a new paradigm of vulnerabilities has emerged. This course bridges the gap between classic AppSec and the emerging AI threat landscape, equipping security professionals, AI/ML engineers and architects, and Compliance and Risk leaders with all they need to know to build, run, secure, and regulate AI-based systems and software .

Rather than exploit code syntax, modern AI attackers manipulate meaning and intent itself. This “Semantic Shift” means new threats, like prompt injection attacks that hijack AI reasoning, data poisoning that corrupts model behavior, and cascading failures across multi-agent systems. In this course you will learn to architect and engineer secure-by-design AI applications that withstand real-world adversarial tactics. With new approaches come new regulations, and this course will walk through the complex web of AI regulations (from the EU AI Act's risk tiers to US Executive Order 14110 and FDA Predetermined Change Control Plans) and show how to transform regulatory requirements into actionable security controls.

Go beyond theory and get hands-on with the LLMSecOps Infinity Loop, a complete 9-stage secure lifecycle framework covering everything from initial scoping through continuous monitoring—specifically designed for AI systems.

Learn to quantify risk with the groundbreaking AIVSS Scoring System combining traditional CVSS metrics with the Agentic AI Risk Score (AARS), to give you a standardized way to communicate AI-specific risks to stakeholders and calculate security ROI.

Master Privacy-Enhancing Technologies (PETs) to implement cutting-edge protection with Differential Privacy, Federated Learning, Homomorphic Encryption, and Trusted Execution Environments—securing sensitive training data without sacrificing model performance.

Integrating industry-leading frameworks, including

  • OWASP Top 10 for LLM Applications (2025) – Master the latest vulnerabilities from Prompt Injection to Supply Chain attacks
  • OWASP Top 10 for Agentic AI (ASI) – Learn unique risks in autonomous systems: Agent Goal Hijacking, Tool Misuse, Identity Abuse
  • NIST AI RMF – Implement GOVERN, MAP, MEASURE, MANAGE functions for enterprise-scale AI risk management
  • MITRE ATLAS™ – Understand real-world ML attack tactics and techniques used by adversaries


Distributed by Manning Publications

This course was created independently by Derek Fisher and is distributed by Manning through our exclusive liveVideo platform.

GRC Fundamentals: Learn Governance, Risk, and Compliance

  • Course duration: 3h 12m
    30 exercises

GRC Fundamentals is your comprehensive guide to mastering governance, risk management, and compliance in today’s high-stakes business environment.

In an era where cyber threats, regulatory scrutiny, and operational risks evolve at lightning speed, organizations can't afford to treat governance, risk, and compliance as separate silos. This course shows you how to integrate GRC into a single powerful framework that not only safeguards your organization but also drives smarter decisions, efficiency, and business alignment.

Whether you're a cybersecurity professional, IT leader, compliance officer, or business executive, this course will give you the practical skills and knowledge to build a GRC program that is strategic, scalable, and sustainable. You’ll learn how to move from reactive compliance to proactive risk management—transforming GRC from a burden into a competitive advantage.

With expert guidance, you'll gain the tools to transform GRC from a checkbox activity into a strategic pillar of your organization.


Distributed by Manning Publications

This course was created independently by Derek Fisher and is distributed by Manning through our exclusive liveVideo platform.

A Guide for Developing Secure Applications

  • Course duration: 11h 14m

Every company uses software to function. From Fortune 500 technology companies to sole-proprietor landscaping firms, software is integral to businesses large and small. The right software, properly secured, can help organizations to move quickly and stay ahead of their competition.

Business software provides a means to track employees, customers, inventory, and scheduling. Data moves from a myriad of systems, networks, and software applications, providing insights to businesses looking to stay competitive. Depending on the needs and resources of a company, it may develop and build its own software, or it may purchase ready-made software and integrate it into the business operations. What this means is that every organization, regardless of size and industry, has a software need.

That is why there is an urgent need for people to develop and implement secure software. That’s where this course comes in: it is designed to help you become one of those crucial people.

This course will familiarize you with the common vulnerabilities that plague developed code, as outlined by the publications that set the industry standards, such as the OWASP Top 10 list of critical risks and the SANS Top 25 list of most dangerous flaws in software. You will understand what type of development behaviors lead to vulnerabilities and how to avoid those behaviors when creating secure code. You will learn how to perform a threat model on development features to understand what threats could impact your code, where they come from, and how to mitigate them. You will also learn to review and operate developer analysis tools to discover vulnerabilities, allowing you to correct them early in the development life cycle. Finally, you will understand how application security fits in an overall cyber security program.


Distributed by Manning Publications

This course was created independently by Derek Fisher and is distributed by Manning through our exclusive liveVideo platform.

Ultimate Cybersecurity Course and CISSP Exam Prep

  • Course duration: 7h 42m

In this course you will learn everything you need to know to take your cyber-security career to the next level. Whether you are already in cyber security and want to prepare for the CISSP exam, or you are working in technology and are curious about what cybersecurity is, this course is for you.

The course covers the range of topics that professionals in the field need to know about security and risk management in organizations, including best practices for security in architecture, networking, and physical locations. You’ll learn how organizations test and monitor for security, and how they use asset management to discover the data and systems that exist in their organization so they can protect them. And you'll see how security fits into the software development lifecycle

We will delve into the importance of security concepts such as confidentiality, integrity, and availability. How to use authentication and authorization to manage user and system access. How organizations prepare for disasters and ready themselves to resume operations. How to use risk management to define your company’s approach to security. Supply chain risks. Threat modeling. Security models. Cryptoanalysis. And so much more!

We cover a lot of topics here, and when you’ve finished the course you will have a thorough understanding of how security fits into an organization, and all the areas that need to be secured. Grab a comfy chair and get ready to learn.


Distributed by Manning Publications

This course was created independently by Derek Fisher and is distributed by Manning through our exclusive liveVideo platform.

Implementing an Application Security Program

  • Course duration: 4h 51m

This course delivers effective guidance on establishing and maturing a comprehensive software security plan. In it, you’ll master techniques for assessing your current application security, determining whether vendor tools are delivering what you need, and modeling risks and threats. As you go, you’ll learn both how to secure a software application end to end and also how to build a rock-solid process to keep it safe.

Application Security Program Handbook

  • November 2022
  • ISBN 9781633439818
  • 296 pages
  • printed in black & white

The Application Security Program Handbook delivers effective guidance on establishing and maturing a comprehensive software security plan. In it, you’ll master techniques for assessing your current application security, determining whether vendor tools are delivering what you need, and modeling risks and threats. As you go, you’ll learn both how to secure a software application end to end and also how to build a rock-solid process to keep it safe.