Some thoughts from over the holiday weekend.
1) Is time (adding or taking away) the only defense against web application timing attacks?
2) What good is using SSL to encrypt usernames/passwords when all other sensitive data is not?
3) Who is getting fined for how much due to lack of PCI-DSS compliance?
4) If automated vulnerability scanning of an application is a test of the tools intelligence, is manual testing a test of the human's intelligence?
5) When oh when will the TCv2 finally be finished!? :)