Ask HN: Security at my company is horrible, what can I do?

Ask HN: Security at my company is horrible, what can I do?
5 by throwAwaySec | 2 comments on Hacker News.
I have joined a team working on maintaining and improving an old project around 4 months ago. The code is old and with horrible practices and no regard for security. I was OK-ish with it tho, since the app is B2B and can only be accessed via a whitelisted IP. Now we have been told that on our product road-map we will be managing clients private keys and sensitive data that is used to communicate with financial entities. I feel very bad about this as it could expose customers to huge risks (knowing the code-base), managers know as well. I'm not a security expert by no means, but there are minimal stuff that can be done to remove 90% of the issues, but no one is willing to budget some time for this, and management just want to push re-writes and new features fast. What can I do, as "the new guy" and also no formal security training. Edit: Most vulnerabilities I saw was the possibility of one user to access and alter another's data just by messing with headers and urls. This should not be possible for a non-whitlested user as far as i can tell.