Ages ago, a few companies founded SAFECode – an organization to help improve security in development. In a lot of cases, they really publish interesting work which can be leveraged by organizations.
Steve Lipner (one of the developers of the Security Development Lifecycle at Microsoft) and Eric Baze, EMC just published an interesting post on Assessing the Security of Acquired Software: One size does not fit all! – it is worth reading.
However, in my world they cover only half of the story. One is how we can manage the risks of introducing faulty software into our environment – a risk