A large number of attacks on computing systems succeed because of the existence of software flaws (e.g. buffer overflow, race conditions etc.) that could be fixed through a careful design process. An effective way of improving the quality of software products consists of using metrics to guide the development process. The field of software security metrics however is still in infancy in contrast with the area of traditional software metrics such as reliability metrics for which several key results have been obtained so far.