Primary links
The US National Security Agency has recently released a list of the top 25 dangerous coding errors which lead to security vulnerabilities, which includes such items as improper input validation, improper encoding or escaping of output, and cross-site request forgery. While I'd highly recommend reading the list for anyone writing code that will be used on a website accessible by the public, nothing on it should come as a surprise to any experienced programmer working in this field.
We at the Openflows Community Technology Lab take security very seriously, and among our contributions to the Drupal community in this regard is a set of backports for security-related patches for unmaintained versions of Drupal. We often use Drupal more as a framework than a stand-alone CMS, and sometimes our projects involve development cycles spanning over a year, which in the Drupal world means that we can easily find ourselves having to maintain and secure versions of Drupal with no official support. I've found the Drupal security team's support to be excellent, and given the rate of change of Drupal core I certainly understand why they only have time to support for two branches at a time, but this isn't always sufficient for us. A word to the wise: just as you should always make backups, you should have a plan for security support for any software you use. This might involving subscribing to the maintainer's security advisory list, subscribing to the security advisory list of your software distributor, or carefully monitoring your software yourself. But just because you're using something out of date doesn't mean that some script kiddie out there doesn't have an exploit which will work against your system.
