How do you measure software security issues in web applications ?

["Mark Curphey" <mark () curphey com>]

I am interested in how others are measuring software security issues in
their web applications and software development life cycle ?

I think everyone will agree that the need to measure the security posture in
some form is crucial. There are many reasons to measure it including code
"security" quality from outsourcers, security improvement programs,
identifying areas for common improvement etc, but how do you measure it ?

Do you measure defects / per x lines of code ?
How do you measure defects in security requirements ?
How do you measure deployment defects ?

Anyone used a Six Sigma approach ?