Thanks cjf, This is the bomb and will now form the basis of my new security policy. I will be fully OWASP compliant. They should offer an auditing/certification scheme to make some cash. It is possibly missing stuff on LDAP but from their future developments I look forward to the next release. The name seems slightly misleading as this stuff does not just apply to open source programming.