This may sound contradictory, but both are important. It’s all about planning for both the short and long-term. Don’t try to boil the whole ocean immediately—prioritize your applications (working through the highly critical applications first), set some measurable goals, and pilot some real activities to generate real results. This will showcase the value of application security, demonstrating a return on investment early and helping with future stakeholder buy-in.
Worthy goals involve reducing risk. It’s not enough to simply find some vulnerabilities. In order to show real improvement, they also need to be remediated. However, it’s also essential to keep in mind that taking steps to secure one application probably isn’t enough. In the long run, you’ll need a risk-based approach to your entire application portfolio. Anything too labor intensive won’t scale well, so keep an eye out for areas to automate and be realistic about the level of detail included.