Start with an assessment of the application. You will identify threats and weaknesses, Translate that into a roadmap of the target state. You cannot boil the ocean so pick the items that pose the greatest risk as your priority items.

To me, a quick start in those situations is to get answers about the most common pitfalls I found when working with developers who did not care about Security:
- Authentication: How it interacts with users and other applications.
- Credentials: How are stored.
- Storage: How does it persist changes. What security controls are applied.
- Data flow.
I'm talking about quick wins. Of course you are right and a threat modeling and risk assessment are how things should be accomplished, there are so many additional areas to be covered (for example environment, deployment) but sometimes is overwhelming and a simple document can serve as a starter.

Luis. Security Engineer, IT Manager.

You can start with the principle aligned with your organization's objectives. Principles like Single Identity, Security Monitoring, Data Security and etc. You can then assess if the architecture/ design complies with those principles. This will be a continuous process and will get refined over a period of time but you need to start from somewhere and take the feedback for relevant stakeholders and improve.  

 

Thanks!!

Rahul Sharma