Come For The Code
Is Drupal Secure?
The first question asked by any (good) Web Developer, Designer, Administrator, or Site Builder should always be and, for the most part, has always been: Is it safe?
The short-answer is: Why Yes! Yes, of course it is!
The long-answer is: Longer.
WhiteHouse.gov was built on a Drupal platform around 2006 and the President has never looked back. If the White House finds it secure, shouldn't you?
No, not really. Trust, as they say, but verify.
Drupal has a great track record and, despite being an open source community, has an extremely detailed and organized process for investigating, verifing, and publishing possible security problems as they are found. Site Administrators are notified by email immediately upon identification and correction of issues.
The Drupal Security Team has around the clock monitoring of any and all Security Issues with Drupal Core, contributed Modules, and contributed Themes. In addition, all Modules and Themes go through rigorous testing. On top of that, Drupal projects are created, updated, corrected, commented, fixed, and published using a very powerful version control system named Git. More on Git later.
If that is not enough, the Ottawa-based team OpenConcept routinely publishes their Drupal Security Best Practices, which details a step-by-step Security and Sustainability path for Development in Drupal.
Further Reading:
d.o | Is Drupal Secure: d.o page on Security and where links can be found for beginner level knowledge.
The Drupal Security Team Infographic on maintaining a Secure and happy Druplicon: