Heine Deelstra, Drupal's security team lead, gave a great presentation about Drupal security at DrupalCon Paris. First, the presentation provides a short overview of the most common security issues, their consequences and how you can use the Drupal API to prevent them. The second half of the talk is devoted to string handling and cross site scripting (XSS). A must watch for all Drupal developers.
Last week, the Drupal security team fixed a security bug in the OpenID implementation that is part of Drupal core. Heine deserves some extra thanks for his work in fixing the OpenID bugs in core - very few active contributors in the community have a deep understanding of the OpenID code, and Heine's efforts went way beyond the usual as he sought to understand the specification and correct the flaws. Great job, Heine, and the rest of the security team!