I use Burp Suite for a lot of my testing (though I do love ZAP as well). Here is their roadmap for the next year or so.
You have probably heard that Microsoft's CryptoAPI has a bug. The US Government has a good writeup.
Speaking of governments, the UK cybercommand has a really creat article on security antipatterns.
And finally: SHA-1 is now proveably broken. Time to move on from it as a session identifier.
That's the news, folks.