Questions:
| Do you follow secure coding standards? Does it train its developer to do so? Does this standards apply to the language the application is built in? |
| Does the CSP perform threat modeling? |
| What end-to-end security tests does the CSP carry out? |
| What static/dynamic code analysis tools are used to identify potential vulnerabilities quickly? |
| How does CSP conduct peer reviews for security-sensitive modules? |
| What third-party security libraries does the CSP use, and does it track how it keeps them up to date? |
| What penetration tests does the CSP perform on application features to be deployed before putting them in production? |
| How does CSP confirm that developers don’t have access to production data? |
| How does CSP confirm that support staff must request access to customer data in advance? |
| Is there an external vulnerability reporting mechanism for security researchers and a public policy on how the CSP will treat researchers who approach with vulnerabilities? |
| What change control process does the CSP use to assess the potential security impact of the change and to engage the appropriate security expertise to respond/contribute before a change to production? |
| Does CSP developer keep secrets outside of the codebase and in a secure repository? |
| Is access to codebase limitd on a need-to-know basis? |
| How does CSP detect malicious code planted in a source code repository before it is deployed in production? |