What Are Security Best Practices for WordPress Plugins and Themes? [closed]

As suggested in this question, I am adding this topic as a new question, for community discussion/voting regarding best-practices for Plugin/Theme security.

Here is the starting checklist, based on my current (work-in-progress) settings/data security checklist used for reviewing Themes (the principles should be no different for Plugins than they are for Themes).

If you want to check out a theme with a secure and solidly-coded theme settings page, check out this theme:
http://wordpress.org/extend/themes/coraline

Use Nonces (when not using Settings API)

Plugins and Themes should explicitly provide Settings-page nonce checking, if not using the Settings API:

• WordPress Nonces (Codex)
• WordPress Nonces (Mark Jaquith)
• Improving security in WordPress plugins using Nonces (Vladimir Prelovac)
• 5 tips for using AJAX in WordPress > 3. Use nonces and check for permission (Gary Cao)