Is an API available to clients?
Is there a formal security program established to include API security review?
Is Scoped Data encrypted in transit within the API for both request and response?
Is data input into applications validated?
Are third party tools used during the software development process also evaluated for security issues?
Do you have any high or critical findings unresolved?
Are separate environments maintained for development, testing and production including the separation of production data from non-production environments?
Do you perform automatic and manual application code reviews prior to production, including where applicable, to the outsourced source code?
Do you perform vulnerability scanning on scoped applications and web pages and remove critical findings prior to production?
Do you have a process to ensure that all debugging and test code elements are removed from released software versions?