Drupal sites periodically need to save private information. Some examples include a secret key used for communicating with a remote service (like an API key for a payment gateway) or private information for each user on the site.
When dealing with any internet connected software, staying on top of updates is a big responsibility. It is critical to the security of your site and yet can take a lot of time. The traditional advice about updates is "subscribe to the updates mailing list" and that works pretty well for most projects. For broad software projects like Drupal, however, that advice is increasingly unmanageable.
Drupal 7 added a new feature into core that is not user facing directly, but is sometimes called poor man's cron. The feature triggers the periodic tasks of a Drupal site like emptying log files, sending e-mails, and clearing out caches. This feature, when combined with dynamic detection of the "base url" (added in Drupal 4.7), can lead to some screw situations.
Drupal has a rich and extensible role and permissions system. I've heard complaints from "everyday site builders" that there are too many permissions and from large government organizations that the permissions aren't granular enough, so you know we're doing something right. But there are some common mistakes and associated best practices to consider when working with the system.
Many many Drupal modules leverage third party code. Examples include plupload, ckeditor. Those libraries include a lot of their own code, either as examples of how to work with their code or for integration with other applications.
I chose those specific examples because they include XSS vulnerabilities.
There are basically two reasons to think about security in your website: because you feel it's important and because of industry regulations that force you to think about it. The following list, broken down by industry and site-type show which kinds of security issues and regulations you should consider when planning your site.
This article presents an overview of two methods to solve a cross site scripting problem that affects older versions of Safari and Internet Explorer versions 8 and below (to varying degrees). If you are unfamiliar with XSS or how bad it is, please first read Introduction to Cross Site Scripting (XSS) and Drupal.