Locking down internal apps presents unique and frustrating challenges for appsec teams. Your organization may have dozens if not hundreds of sensitive internal tools, dashboards, and control panels, running on heterogenous technical stacks with varying levels of code quality, technical debt, external dependencies, and maintenance commitments. Hongyi discusses experiences in managing internal appsec, conveying the technical and management lessons Dropbox has learned in the process. He captures what worked well — finding a useful mental model to organize a road map and rolling out content security policy — and what didn’t.