Many security officers worry less about the security of new applications being built and more about the security of hundreds of applications they inherited. What applications represent the biggest risk? What attributes make them more or less risky? What are the most cost-effective courses of action given budget constraints in today’s business environment? This interactive workshop will help participants understand how to attack this problem and create a risk-based approach to managing the security of an existing application portfolio using tools like the OWASP ASVS model. The session will decompose an example application to determine how to conduct a bottom-up risk profile for future risk comparison against other applications. The audience will also participate in an exercise comparing different applications to better understand the ranking process. The audience will leave with a framework, action plan and basic understanding of the risk-ranking process that they can immediately apply to their work environment.