Workshop Recap: Building a Risk-Oriented Application Security Program

Security conversations in tech often feel binary: either you’re obsessed with every potential vulnerability, or you’re ignoring the problem. I hosted a workshop with ProjectDiscovery that pushed past that — Rotem Reiss (Director of Product Security at Playtika) and Rishi Sharma (CEO of ProjectDiscovery) walked through how to actually build security into your org without it becoming theater.

Rotem’s background is what makes his perspective so useful. He started in software development and DevOps before moving into appsec. Open-source contributor, bug hunter, multiple CVEs to his name. He wasn’t a security specialist coming in to tell engineers they’re wrong — he was an engineer who learned to think like an attacker.

That matters because most organizations treat security as a gate at the end of the pipeline. Finish development, pass security review, deploy. That model doesn’t scale. It slows everything down and still misses things.

What Rotem and Rishi laid out was different: baking security into early stages of development. Not devsecops as buzzword — devsecops as actual practice. You’re making security part of how you architect, write code, and deploy from the beginning. Tools like Nuclei help you understand your attack surface and make informed risk decisions.

The key insight is risk-oriented thinking. Not every vulnerability is equal. A vulnerability in an auth component? Critical. A theoretical vulnerability in a test utility that’s not exposed? Lower priority. Sounds obvious when I say it, but most security programs I’ve seen don’t actually operate this way.

We covered how Playtika’s product security group secures their org — not in theory, in practice, on dynamic systems, at scale. Worth watching if you’re thinking about maturing your security practice.

Key Takeaways

  • Security belongs in development, not just at the gate. Catch problems early by making security part of architecture and design.
  • Risk-oriented beats vulnerability theater. Context matters — allocate resources where the actual risk is highest.
  • The right tooling is a force multiplier. Tools like Nuclei give visibility into your attack surface so you can decide instead of guess.
#ProjectDiscovery

Read Next

Blog

Announcing Pioneers, ProjectDiscovery's Ambassador Program

Launching a program to recognize, connect, and appreciate active contributors and advocates in the security community.