Do you have a process for keeping all your framework components up to date?
Is there a process to identify security vulnerabilities in the frameworks used?
Does the application being developed use industry standards and best practices such as OWASP, SANS or CERT?
Does the development team use or incorporate security during the developement life-cycle?
Does the developer team get proper training on OWASP top ten vulnerabilities?
Do developers use a code review guidelines to implement proper security into the application?
Do you use production data during development?(example restore a production database)
Do you use production credentials in development environment?
Are there change control process and procedures when changes are done in the code?
Is the development environment separated from testing and production environment? 
Do developers have access to production environment?
Are any browser security directives or headers missing when sensitive data is provided by / sent to the browser? 
Are PAN's or any credit card data used in development environment?