Locking down internal apps presents unique and frustrating challenges for appsec teams. Your organization may have dozens if not hundreds of sensitive internal tools, dashboards, control panels, etc., running on heterogenous technical stacks with varying levels of code quality, technical debt, external dependencies, and maintenance commitments. How do you tackle this problem scalably with limited resources?Come hear a dramatic and humorous tale of internal appsec and the technical and management lessons we learned along the way. Even if your focus is on securing external apps, this talk will be relevant for you. You’ll hear about what worked well for us and what didn’t, including:- Finding a useful mental model to organize your roadmap- Starting with the basics: authn/z, TLS, etc.- Rolling out Content Security Policy- Using SameSite cookies as a powerful entry point regulation mechanism- Leveraging WAFs for useful detection and response- Using internal apps as a training ground for new security engineers