I just posted an article over on the SDL blog about security metrics in reponse to an analyst's criticisms of how we measure success/failure/progress.

Comments always welcome.

UPDATE David Litchfield just made a post on the subjet.