While the rest of this post looks back at 2007, I'd like to throw some attention to the security presentation at DrupalCon Boston.
2007 was a busy year for the Drupal Security Team. That's not to say that Drupal is unsafe but that security requires a lot of work. The nature of the work makes it hard to communicate exactly what is going on. So here is an attempt to share some information about the past year for the security team.
Releases, Reports, and Discussion
The team issued 37 Security Announcements (SAs), representing more than 100 patches released. Each SA requires at least 1 patch and 2 reviews (review before the patch is made to find other security holes and a second review to ensure that the hole has actually been fixed). Most issues involve multiple patches and multiple reviews. Each also requires the SA to be written and reviewed, the patches to be committed, release nodes created, published, drafts copied from security.drupal.org to drupal.org, and flipping publish/status bits on a few nodes around our infrastructure. All of that work was done 37 times last year or approximately once every 10 days. For comparison, 2006 totaled 32 SAs.
For each issue, there are more problems reported which turn out not to be issues. See Howto report a security issue and My Site Was Defaced ("hacked") What Should I do Now? for more information about how to report issues properly and with sufficient information. You can get a sense for the amount of discussion of security related topics and also of false reports based on the volume of emails to the internal mailing list:
Individual mails to the security team: