You are an information security practitioner who finds them self responsible for the security of their organization’s data. From an application perspective you are most likely looking at hundreds, if not thousands, of internet-facing domains. How do you prioritize one over another? How do you do this on-time and on-budget? This presentation aims to provide answers to these classic challenges. Sahba Kazerooni and Nish Bhalla will present a real-world case study where the requirement is simple: Reduce the risk to an organization from all external-facing applications. The discussion is interwoven with lessons of attack surface discovery, risk analysis and application assessment methodology.