Website compromises are an everyday, headline-making reality. Sometimes a cyber-attacker's motivation is national security inclined, other times its profit-driven, or it's to express a political message, and sometimes it's just for the LulzSec. It also doesn't matter anymore if their targets are governments, military contractors, retailers, banks or even blogs - everyone online can now be on the receiving-end of a Web attack and, usually, by techniques we're already very familiar with yet often overlook: SQL Injection, PHP File Include, Cross-Site Scripting, Clickjacking, Cross-Site Request Forgery, the list goes on. There truly is nothing new here that we haven't seen before. We know how to find these vulnerabilities, we know how to fix them, and we know how to prevent them. Yet, website compromises continue to increase anyways. The answer to why they're increasing is simple: many companies haven't solved the challenge on how to address Web application security at scale. Whether you are responsible for protecting 10, 100, 1000 websites or even more, the technical challenges for Web application security at scale are two-fold: 1) How do you deal with an enormous backlog of Web code - already completed, riddled with vulnerabilities and developed in an era where security awareness was nonexistent? 2) How do you successfully integrate Web application security into the push-or-die pace of agile software development so your next generation of Web code is able to defend itself from modern attacks? Answering these two questions requires a two-prong strategy that addresses operational security and ongoing software security, which comprises the central focus of this presentation.