Is there a worthwhile distinction between HTTP and other protocols?
Checklists and loops come up a lot, but they don't sit right with my brain. Can they be merged in a satisfying way?
Can a security test be benchmarked in a useful way? Breadth or depth first testing? Coverage will be incomplete, how is it maximized?
What value does vulnerability classification provide to the testing process? By testing technique? Vector? Exposure? Impact?
What factors determine impact? Headlines? Fines? Crimes? Consumer perceptions?
What is the minimum time to make a valuable statement about an application? How are time and value related? Can a process relate time and meaning linearly? Is that valuable? A baseline from regulations? An upper limit of the best new research?
What does security testing look like in a DevOps environment?
What can security testing apply from other software testing types? Can this be transferred back to facilitate DevOps?
What metrics can be used to evaluate the effectiveness of a process?
No safe is perfect, but there are known realistic lower bounds on the time required to breach or manipulate various models. So you might have a safe good for 30 minutes. What good is that? You now know that you need a burglar alarm with a < 29 minute response!
Matt Blaze
https://twitter.com/mattblaze/status/1553888561736433675
Coverage of real world vulnerabilities
Would the process have discovered the vulnerability?
Coverage of known vulnerable application
Generate applications with random occurrences and variations of vulnerabilities. Measure the time taken and completeness of the process.