SQL Injection
Most Jasig code uses Hibernate or Hibernate backed JPA. Code which does not use these technologies should at least use prepared statements.
Cross-side Scripting (XSS)
Many Jasig porlets make use of Spring's escapeBody tag to perform HTML and JavaScript escaping.
The Manchester News Reader portlet uses OWASP Anti-Samy to clean dangerous tags from RSS feeds. This tool allows a developer to configurably strip HTML tags from proxied content.
Encryption of sensitive data
Most portlets should not need to store user passwords. However, for a portlet that does store potentially sensitive data, user data should be encrypted using some secure algorithm. Useful encryption resources might include Jasypt or Bouncy Castle.