13th and 14th February, 2026
Kaapelitehdas, Helsinki Finland
Beyond the Green Checkmark: Security IN and OF Your CI Pipeline
Derek Fisher
You've added SAST, DAST, and SCA scans with your GitHub Actions congratulations, you earned a green checkmark! But are you actually more secure, or just creating security theater? This talk brings to light the illusion that running scans equals security and demonstrates how to extract real value from security tooling while protecting your pipeline from becoming the attack vector itself.
In true "First Principles" fashion, we'll question fundamental assumptions: Why do most security scans generate more noise than signal? Why do teams ignore 90% of vulnerability findings? And perhaps most importantly, who's watching the watchers when your "secure" pipeline becomes the easiest way for attackers to compromise your entire software supply chain?
In true "First Principles" fashion, we'll question fundamental assumptions: Why do most security scans generate more noise than signal? Why do teams ignore 90% of vulnerability findings? And perhaps most importantly, who's watching the watchers when your "secure" pipeline becomes the easiest way for attackers to compromise your entire software supply chain?
Derek Fisher
Derek Fisher is a cybersecurity strategist and educator with nearly 30 years of experience in engineering and cybersecurity. He currently serves as Director of Temple University's Cyber Defense and Information Assurance Program, where he develops curriculum that prepares the next generation of cybersecurity professionals for real-world threats. He also teaches secure software development, believing that developers who understand security from day one build fundamentally better products.
His industry experience includes building comprehensive product security programs at JPMorgan Chase and Envestnet, where he transformed how global organizations integrate security into their product lifecycles. Throughout his career, he has helped companies across finance, healthcare, defense, and commercial sectors reduce risk while accelerating innovation through practical security implementations, vulnerability management programs, and cloud transformations.
As an author, he has written several books on cybersecurity including The Application Security Program Handbook and the Alicia Connected series, which focuses on making security awareness accessible from an early age. He actively contributes to the cybersecurity community through his SubStack publication, YouTube channel, and speaking engagements at industry conferences.
His philosophy centers on the principle that security isn't about saying no, but about finding the right way to say yes. Whether working with C-suite executives or entry-level developers, he focuses on practical solutions that enable business success rather than hinder it, believing that the best security happens when you build it into everything from the ground up.
