Reading Shopify’s approach to keeping their merchant’s secure at their humongous scale seems to come down to the radical standardization of everything. People think this is boring (it isn’t) but it has tons of benefits beyond just security.
https://engineering.shopify.com/blogs/engineering/building-shopify-application-security-program