http://wiki.developerforce.com/page/Secure_Coding_Guideline
Secure Coding Guidelines
The following documentation walks you through the most common security issues salesforce.com has identified while auditing applications built on or integrated with Force.com. This documentation takes into account that many of our developers write integration pieces with the Force.com platform and includes examples from other web platforms such as Java, ASP.NET, PHP and Ruby on Rails. The Force.com platform provides full or partial protection against many of these issues. It is noted when this is the case.
Consider this to be an easy to read reference and not a thorough documentation of all web application security flaws. More details on a broader spectrum of web application security problems can be found on the OWASP (Open Web Application Security Project) site.
After you feel comfortable with the topics here, please utilize the tools we are making available which will help in identifying many of these types of issues.
1. Cross-Site Scripting
2. S(O)QL Injection
3. Cross Site Request Forgery
4. Secure Communications and Cookies
5. Storing Secrets
6. Arbitrary Redirects
7. Access Control
8. Enforcing CRUD and FLS (Force.com)
9. SSO for Composite Apps