Forum OpenACS Development: Announcement: static source code analysis tool for OpenACS/NaviServer/AOLserver
Some of you might find this useful:
There was recently a commercial tool announced  that is able to scan the source code of Tcl/ADP pages for NaviServer/AOLserver (including OpenACS) for vulnerabilities. It uses a database with about hundred checks of dangerous function calls and vulnerabilities , which will probably grow with the time.
Since there is an increasing security awareness the number of security audits required by certain company policies goes up. Therefore it is important to have such tools around, especially due to the fact that there are many old and strongly adapted OpenACS sites out there. If you are running a website, or have developed some websites, you might be asked about such audits.
The developers seem quite competent and have an impressive list  of public vulnerabilities and CVEs.
Disclaimer: I have personally not used the tool, nor i have no relation at all to this company.