Decades of software engineering research has shown the effectiveness of the use software metrics to identify fault- and failure-prone components and to predict the overall quality of a system early in the software development lifecycle. Software development organizations use this knowledge to prioritize their redesign and validation and verification efforts. In this research, we extend this work to examine the corresponding power of software security metrics to effectively identify vulnerability-prone and exploit-prone components early in the software development lifecycle. The technical objective of this research is to create and validate a predictive model that uses security metrics to identify and rank the risk of vulnerability-prone and exploit-prone components in a software product. The results of this model can be used to inform risk management and to prioritize re-design and validation and verification efforts in the later phases of the life cycle. The expected result from guiding software development efforts via the predictive model is the production of more secure software. The educational objective is to incorporate these research results into resources for educating students to engineer secure software products.