Is the cause of product vulnerabilities evaluated and are appropriate changes to the development/engineering practices, tools, and techniques identified to mitigate similar vulnerabilities in the future?
Is training on secure engineering practices provided to the appropriate personnel on a regular basis consistent with changing practices and the changing threat landscape?
Are changes to the development threat landscape monitored regularly by reviewing industry security alerts/bulletins?
Are changes to the development/engineering practices, tools, and techniques assessed in light of changes to the threat landscape?
Are secure coding practices (e.g., user input validation, use of appropriate compiler flags, etc.) followed to avoid common coding errors that lead to exploitable product vulnerabilities?
Are secure hardware design practices (e.g., zeroing out memory and effective opacity) employed where applicable?
Are there well-documented processes for patching and remediating products?
Is there a process for informing the consumer of notification and remediation mechanisms?
Is remediation of vulnerabilities prioritized based on a variety of factors, including risk?
Are documented development and sustainment practices followed when implementing product remediation?