CSP Due Diligence Review -Software Dev.

Questions:

Do you follow secure coding standards? Does it train its developer to do so? Does this standards apply to the language the application is built in?
Does the CSP perform threat modeling?
What end-to-end security tests does the CSP carry out?
What static/dynamic code analysis tools are used to identify potential vulnerabilities quickly?
How does CSP conduct peer reviews for security-sensitive modules?
What third-party security libraries does the CSP use, and does it track how it keeps them up to date?
What penetration tests does the CSP perform on application features to be deployed before putting them in production?
How does CSP confirm that developers don’t have access to production data?
How does CSP confirm that support staff must request access to customer data in advance?
Is there an external vulnerability reporting mechanism for security researchers and a public policy on how the CSP will treat researchers who approach with vulnerabilities?
What change control process does the CSP use to assess the potential security impact of the change and to engage the appropriate security expertise to respond/contribute before a change to production?
Does CSP developer keep secrets outside of the codebase and in a secure repository?
Is access to codebase limitd on a need-to-know basis?
How does CSP detect malicious code planted in a source code repository before it is deployed in production?