It's a common misconception that the first step to building an application security program is sorting out the tooling. In reality, security tools translate well, and most early-game head-scratching will center on process. It helps to start small: SCA (source composition analysis) being an un-intensive and non-invasive first measure is a great launch point. This is not only due to the great availability of SCA tools, but also because its ease of adoption primes security teams before they pursue more investigation- and work-heavy practices like SAST, DAST, IAST, etc.