In terms of appsec, we run quarterly black box pen tests and annual comprehensive white box pen tests with well regarded firms, and have been rotating vendors on a regular basis for diversity. We also do a lot of stuff internally, like regular scanning, and internal sprints focused on vuln detection. We've been doing this for years. That's not to say we're perfect (we clearly are not) but we do take it seriously.