If you're a Drupal professional, you owe it to yourself and your clients to internalize the lessons and techniques inside Cracking Drupal: A Drop in the Bucket. This is true because, statistically, any insecurities in one's site are many times more likely to be introduced by one's own custom theming/modules than by Drupal core. The book mentions the audit of a high-profile Drupal site that uncovered 120 security issues, of which the vast majority were found in the customized theme layer! (much more than from contrib/custom modules even)
There are many good things to choose from, but for me the best thing about Cracking Drupal is that I finally have a definitive one-stop place to go for information about Drupal security: what to watch out for, how to test it, best practices, worst practices. It's all there.
Finally, keep in mind that just reading this book will not of itself make your site more secure. I've had to re-read certain things a few times before it sunk in all the way. A process helped along even more by downloading the vulnerable.module, the module the book uses for many of its examples, and testing out the examples inside of it for a few hours.
Many thanks to greggles for putting this together for the Drupal community. For another review of Cracking Drupal see Aaron's write up of it.