How would you build an application security program from scratch?

Start with visibility and risk: asset/app inventory, crown-jewel data, and current pain. Establish secure-by-default guardrails (paved roads, hardened libraries, SSO, secrets management) so the secure path is the easy path. Layer testing proportionate to risk (SAST/SCA in CI, DAST, periodic pentests, threat modeling for high-risk designs). Define SLAs, metrics, and a vuln-management workflow. Invest in developer enablement and champions — you can't manually review everything; scale through culture and tooling.