This talk will cover the Zope and Plone features that make writing secure code easy, like AccessControl and plone.app.protect along with the common mistakes people make in their use. Where possible examples from Plone security flaws will be included alongside information on how we handled their release.