Questions:
Do you follow secure coding standards? Does it train its developer to do so? Does this standards apply to the language the application is built in? |
Does the CSP perform threat modeling? |
What end-to-end security tests does the CSP carry out? |
What static/dynamic code analysis tools are used to identify potential vulnerabilities quickly? |
How does CSP conduct peer reviews for security-sensitive modules? |
What third-party security libraries does the CSP use, and does it track how it keeps them up to date? |
What penetration tests does the CSP perform on application features to be deployed before putting them in production? |
How does CSP confirm that developers don’t have access to production data? |
How does CSP confirm that support staff must request access to customer data in advance? |
Is there an external vulnerability reporting mechanism for security researchers and a public policy on how the CSP will treat researchers who approach with vulnerabilities? |
What change control process does the CSP use to assess the potential security impact of the change and to engage the appropriate security expertise to respond/contribute before a change to production? |
Does CSP developer keep secrets outside of the codebase and in a secure repository? |
Is access to codebase limitd on a need-to-know basis? |
How does CSP detect malicious code planted in a source code repository before it is deployed in production? |