Hi all! Check out https://www.mediawiki.org/wiki/Security_for_developers/Architecture -- I just removed the {{draft}} tag.
These security guidelines help lead developers, architects, and product managers make decisions that protect MediaWiki's users when developing new features or refactoring old code.
All MediaWiki developers can follow these principles and process when developing new core features or extensions. If a developer or team is planning to have their code deployed on the Wikimedia cluster, following these guidelines will ensure the security review process is quick and requires minimal changes before deployment.
This guide interrelates with the Architecture guidelines https://www.mediawiki.org/wiki/Architecture_guidelines, Performance guidelines https://www.mediawiki.org/wiki/Performance_guidelines, and user experience guidelines https://www.mediawiki.org/wiki/Wikimedia_Foundation_Design. Thanks to everyone who helped write these, especially Chris Steipp -- he wrote most of it and I helped. Thanks also to the chiptunes at https://soundcloud.com/benlandis which helped me power through. :-)
Sumana Harihareswara Senior Technical Writer Wikimedia Foundation