Salesforce has quite a bit of built in security; and has lots of security features that can be customized. Access to most parts of the Salesforce / Force.com platform isn’t actually available until a user has been authenticated.
A few weeks ago, I began studying for Admin Certifications, and was fortunate to find this photo on twitter that @SalesforceBen had shared.
Security in Salesforce can basically be broken up into profiles and roles. Although they sound pretty similar, profiles and roles do have some differences. Profiles determine record privileges, and determine what the user can do. Profiles also control some salesforce system privileges. Roles or “Role Hierarchy” allows the user to access subordinate’s records, but doesn’t allow upward access.
While Salesforce has a lot of built in security, there’s still some of the standard risks such as Cross Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and SQL Injection (SOQL Injection). The Salesforce Security Guide can help reduce some of these risks.