what tools/processes do you currently use to ensure your apps are secure / when you are actually running in production?
Not much tbh. Disabled every port except 80/443, moved ssh to a non-standard port. Have unattended-upgrades switched on to grab security updates automatically... fail2ban, and the rest is obvious: making sure all non-essential app files are stored outside of public_html, being careful about sanitising user input, strictly limiting file permissions concerning public directories, etc. When I have an app worth hacking I'll invest more time into this, but until then it's a bit of a mute point.