Via the ColdFusion Server Team blog, there is a new ColdFusion security resource available at OWASP:

ColdFusion Security Resources (http://www.owasp.org/index.php/ColdFusion_Security_Resources)

Looks to be a good list. Question is - why is it longer than Adobe's own list?