Summary
Drupal has come a long way with locking down its APIs to attack vulnerabilities. Of course, this does not mean it’s perfect, nor that a bad developer cannot create security holes. For this reason, it’s extremely important to pay attention to the security implications of all the code you write, follow the standards (including the OWASP checklist), and be aware of what contributed modules you use (to at least be covered by the Drupal security team). Moreover, it’s also very important to keep up to date with security announcements from the Drupal security team as new vulnerabilities may be discovered and updates required to remedy them. These are more time-sensitive in some cases than others, but it’s always good to stay up to date as quickly as possible (by following the communication from the Drupal security team). Luckily, though, historically speaking, Drupal has not had many security crises—at least not compared to other open-source frameworks...