It appears my post here is related; disregard if not.
Years ago, I wrote an accounting application for an ISP. It used CGI::Application. I forced the system to use only one entry point and to error out on any URL passed in that wasn't from this entry point.
I then implemented CGI::Application::Plugin::LinkIntegrity to protect against rogue URL input, after entry has been gained.
Although specific to CGI::Application, it wouldn't be hard to drum up something similar for any other module or even custom code. This, along with -T and other routine validation should make things a bit more resistant to tampering.