I think there should be more sec-pen and developer sessions. Can you imagine the interest if you had a sec-pen highlighting an issue, like click-jacking, iFrames, session & cookie issues. Then following this up with remediation on how to combat it. Even the simple things, like the config entries to combat these types of things. I think you would need a decent room.....Why not show this through Burp, wireshark, then show the difference with the config in pace. Some of it's straight forward (when you know).