Just all the common PHP security. In fact, just the top 10 as published by OWASP.
However, Drupal acts as a web-application framework, a little here too.
- If you develop your own Drupal modules, make sure to adhere to writing secure code
- If you use only contributed modules, you should a) make sure to subscribe to Drupal's security mailing list, and b) upgrade your code all the time, and c) optionally, manuall scanning of all used modules with "writing secure code", mentioned above.
Drupal has security models and layers in place for all top10 OWASP issues. Allthough A6 (configuration) can go wrong. You will need to understand what you are doing and need to read the online help in Drupals admin in detail. You might open up security holes easily by changing settings, without knowing what they do exactly. For example: I have seen many Drupal sites that switch the default "input format" to e.g. Full HTML, because they think that helps editors, not realising that this makes this format the filter for all content, including comments. Opening up XSS-posting all over the place. Drupals online help mentions this, but people often don't read that :)
Another thing to realise, is that Drupal does not scan code upfront. People must read trough code, and report found security issues, before they are dealt with. If you run many thrid party modules, you can be almost assured at least one of them will have a security hole in them. If you want to avoid that, you must scan yourself, or else avoid such modules alltogether.