Congratulations! You’ve been put in charge of the application security program at an organization. Your mission, should you choose to accept it, is to bring secure software development to the organization with minimal budget and a small team. Where do you begin? A lot of this depends on whether you are starting from scratch or whether there’s a program that already exists. For the remainder of this chapter, I will assume that you are starting from scratch. Many of the concepts hold regardless.