As suggested in this question, I am adding this topic as a new question, for community discussion/voting regarding best-practices for Plugin/Theme security.
Here is the starting checklist, based on my current (work-in-progress) settings/data security checklist used for reviewing Themes (the principles should be no different for Plugins than they are for Themes).
If you want to check out a theme with a secure and solidly-coded theme settings page, check out this theme:
Use Nonces (when not using Settings API)
Plugins and Themes should explicitly provide Settings-page nonce checking, if not using the Settings API:
- WordPress Nonces (Codex)
- WordPress Nonces (Mark Jaquith)
- Improving security in WordPress plugins using Nonces (Vladimir Prelovac)
- 5 tips for using AJAX in WordPress > 3. Use nonces and check for permission (Gary Cao)