Oh No! Security Metrics!
I just posted an article over on the SDL blogĀ about security metrics in reponse to an analyst's criticisms of how we measure success/failure/progress.
Comments always welcome.
UPDATE David Litchfield just made a post on the subjet.