We are seeing the proliferation of apps using JSON, AJAX, REST, etc. These apps have vulns that aren't being tested by scanners and people don't know how to test them, yet there are serious vulns there.

What about HTML5, what are the new vulnerabilities and protections? How can we test them?

What are the challenges, and solutions, for an automated scanner to overcome authentication?

How do you handle technologies such as Flash?

Which seems to have more vulnerabilities, in-house written apps, open-source or commercial? Or are they all even? What advice do you have for folks looking to acquire an application to solve a business problem?

Scanners traditionally have trouble with certain vulnerabilities, which ones are the most problematic?

Are people testing them by hand? If so, what can you do to be the most efficient?

Scanners haven't really kept up with the application technology and the coverage gap is widening. Scanners need more application coverage. They will never cover all of the app, but they should cover more. What are your thoughts on that as pen testers? How do you balance manual and automated testing?

Which vulnerability, with respects to web applications, goes unnoticed and unlatched the most?

What training options are available for application developers?

What advice do you have for folks who want to get started and learn how to test web applications for security?