One of the joys of teaching is that students can support and stimulate teachers' curiosity and enthusiasm. Norwich University Computer Security and Information Assurance major Amanda Brown is a brilliant and enthusiastic contributor to the Cyberlaw/Cybercrime class and a stalwart of the Norwich Security and Forensics Club. She often circulates interesting references and recently pointed the class to a new white paper (“Continuing Business with Malware Infected Customers: Best Practices and the Security Ergonomics of Web Application Design for Compromised Customer Hosts”) by Gunter Ollmann, director of security strategy for IBM Internet Security Systems. I am grateful to her for introducing me to Ollmann's fine collection of published works and want readers to be aware of his contributions to the field.

The first section readers might like to explore on the Web site he calls “Technical Info: making sense of security” is the collection of white papers on a number of hot topics in security. Because the index page has excellent abstracts, I’ll simply list the titles and subtitles and urge readers to visit the site themselves:
* Advice on Assessing your Custom Application
* Advice on Assessing your IT Security Posture
* Anti Brute Force Resource Metering: Helping to Restrict Web-based Application Brute Force Guessing Attacks through Resource Metering
* Application Assessment Questioning: What should a consultant be looking for when conducting an application assessment?
* Application Security Assessments
* Assessing Your Security
* Attacks Using the common web browser
* Best Practices on Securing Custom HTML Authentication Procedures
* Continuing Business with Malware Infected Customers: Best Practices and the Security Ergonomics of Web Application Design for Compromised Customer Hosts
* Custom HTML Authentication
* HTML Code Injection and Cross-site Scripting: Understanding the cause and effect of CSS (XSS) Vulnerabilities
* Instant Messenger Security: Securing against the "threat" of instant messengers
* Mail Non-delivery Notice Attacks
* Old Threats Never Die: Why Protection for Old Vulnerabilities can never be Retired
* Passive Information Gathering: The Analysis of Leaked Network Security Information
* Pharming Guide, The
* Phishing Guide: Understanding and Preventing Phishing Attacks, The
* Second-order Code Injection: Advanced Code Injection Techniques and Testing Procedures
* Securing WLAN Technologies: Secure Configuration Advice on Wireless Network Setup
* Security Best Practice - Host Naming and URL Conventions Security: Considerations for Web-based Applications
* SEO Code Injection: Search Engine Optimization Poisoning
* Stopping Automated Attack Tools: An analysis of web-based application techniques capable of defending against current and future automated attack tools
* Understanding the Web browser threat: Examination of vulnerable online Web browser populations and the "insecurity iceberg"
* URL Embedded Attacks
* Vishing Guide: A close look at voice phishing, The
* Web Based Session Management: Best practices in managing HTTP-based client sessions
* X-morphic Exploitation: One-of-a-kind Exploit Delivery Systems and Services

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.