I want to start measure the software security, meaning that, I want to understand if my application is secure or not and improve from month to month.
It would be also really useful to have some suggestion of the tools.
I use sonar for detecting the vulnerabilities but it is not enough, because I am not able to see the progress and effort spend on it. For example, I can see I have 10 major vulnerabilities but I am not sure what can I measure instead of number of vulnerabilities
Your system is secure for certain type of vulnerabilities. If you let your application run without touching the codebase it become less secure each and every day. So, today's security score might not be sufficient for tomorrow.
Regularly checking your codebase against common vulnerabilities (by utilizing OWASP, CWE, etc.) helps you to identify potential risks. And by doing a proper risk assessment can help you to spot high risk issues. And they can be either prevented / mitigated or at least detected.
So, my point is having an up-to-date list of high risk vulnerabilities (from your system perspective) can help you to take actions and keep your system secure for the newest Common Vulnerabilities and Exposures (CVEs) as well.