Is your network being hacked by agents of foreign governments? That’s a shame. But your web applications might be susceptible to attacks from much more everyday threats. To counter them, does you company do application risk assessments? There are always limited resources to doing assessments and testing; how do you decide which applications deserve the most attention? In this talk, we will review a real-life situation where what management thought was a innocent little low risk application actually had some nasty secrets in its closet.