Reverb.com is an ecommerce site for musical gear, with over two million users, transacting over half a billion dollars a year. This presentation will look at the past twelve months of exploits, security issues, reports, vulnerabilities, and everything else we've come across that we've patched. This includes: 1) Actual reports of OWASP top 10 issues, how the vulnerabilities were found, why they were exploitable in the first place, and how we remediated them 2) API endpoints that 3rd parties found ways to abuse and game the system, and how we detected and mitigated them 3) Non public data storage endpoints that were found, what was at risk, and how we resolved the issues 4) Brute force password login attempts, how we detect and analyze, keeping users safe while not aggressively limiting legitimate users access to the marketplace. This presentation will be a view from the trenches. We'll look at what happened behind the scenes, the ways in which the issues were brought to light (some good, some not so good), the risk involved, and the ways we've changed other parts of the infrastructure and development organizations to adapt to these threats. There will be useful and engaging content, with real data and examples to back it up. Those responsible for securing public web assets should be able to gain insight into the types of exploits hitting a highly traffic'd site (US Alexa ranking of 306). Those on red teams may benefit from seeing the ways in which a high profile site has been hit and the creative ways hackers have been able to try and game the system to their benefits.