Tracking and understanding security related defects: Useful data points for shaping your SDLC program
In addition to CGISecurity, I also run a website called QASEC.com where I post SDLC related content. I've just published a lightweight article discussing tips and tricks for tracking software level vulnerabilities in larger organizations.
"If you work in infosec for a large organization it can be difficult to easily track the state of every software level vulnerability throughout your various code bases. This is particularly true when groups outside of infosec such as the business unit, development, or QA are filing these defects and fail to loop in infosec (possibly because they don't know how!). Getting a grasp on how issues are being identified, and handled is essential for improving your orgs security program/s. By making a few changes to your bug tracking system it can become easier to understand the issues being discovered, effectiveness of certain testing tools and strategies, effectiveness of defenses, and can help improve processes addressing security related defects. "