Security Documentation

I think it would be useful to have some documentation that describes Drupal's security model. It would be great to have a place to point people to where they can find out about how Drupal handles and/or enforces items like user permissions, data validation (and XSS exploits), SQL injection, session hijacking and the like. Any security minded folk want to take crack at describing how Drupal works to keep you safe on this level?