Is there a worthwhile distinction between HTTP and other protocols?
Checklists and loops come up a lot, but they don't sit right with my brain. Can they be merged in a satisfying way?
Can a security test be benchmarked in a useful way? Breadth or depth first testing? Coverage will be incomplete, how is it maximized?
What value does vulnerability classification provide to the testing process? By testing technique? Vector? Exposure? Impact?
What factors determine impact? Headlines? Fines? Crimes? Consumer perceptions?
What is the minimum time to make a valuable statement about an application? How are time and value related? Can a process relate time and meaning linearly? Is that valuable? A baseline from regulations? An upper limit of the best new research?
What does security testing look like in a DevOps environment?
What can security testing apply from other software testing types? Can this be transferred back to facilitate DevOps?