AI OnAI Off
Frederik Vig has put together a great collection of EPiServer information. You could start by checking out:
http://www.frederikvig.com/2010/05/episerver-developer-resources/#toc-security-membership-roles
http://www.frederikvig.com/2010/05/episerver-developer-resources/#toc-configuration
EPiServer uses standard Microsoft .Net membership providers, so you could look at Microsoft documentation as well:
http://msdn.microsoft.com/en-us/library/system.web.security.membershipprovider.aspx
I don't think there's a security analysis paper available from EPiServer, but we had a third party do a security test on a solution I was working on, and they did not find any remarks regarding EPiServer and security.
Can anyone point me in the direction of a Security Analysis paper that has been conducted on EPiServer? I have looked on the EPiServer site but can't find anything that talks about the type of security that is used on the logins, or how common vulnerable areas are dealt with i.e. Contact Forms etc