1. If you get engaged early enough on a project and get to review any vendor contracts that come your way, two big clauses you need to include -
- adherence to your company information security policy (and other policies, statutes, etc).
- "right to audit" clause to ensure that you get to perform the appropriate penetration testing or security audit.
Without these you have no assurance any security will be built into your solution, beyond what the vendor considers to be "secure".
2. Don't start a project without a firm contract in place. By contract I mean a legally binding agreement above and beyond a statement of work. Statements of Work are fine for short term engagements, particularly if they are followed by a consultancy agreement or similar document. They are insufficient for large scale projects.