In this talk, David will relay lessons learned from his first year working in the application security program at Riot Games. David will explain how he assessed the level of the program when he joined, and what gaps he identified. He will give an overview of how Riot approaches application security in a fast paced, agile environment. This will include how Riot implements controls which do not negatively impact product development or player experience. David will explain how Riot provides secure coding guidance to software engineers, works with QA, and maintains an application security community of practice. There are many options when it comes to understanding and improving an application security program. This talk will address Riot's efforts in this regard.