Do (for larger organisations especially) you have any sort of security policy/benchmark for any appliactions that you host on your web servers which were developed by either internal web dev guys or external parties? Say for example 3rd parties develop some apps on your behalf, but the data is yours, ie on your private servers, do you present to any 3rd party an expectation of security minimums that their application will meet before you will host it on your web servers? If so what is the name of this policy? And what does it cover?
Do you draw the line between COTS software and smaller development companies? I.e. if you have an oracle web app do you ask Oracle to complete your compliance policy, or do you just give it out to smaller orgs with a lower reputation?