diff --git a/abgaben/referenzen.bib b/abgaben/referenzen.bib new file mode 100644 index 0000000..e10c72b --- /dev/null +++ b/abgaben/referenzen.bib @@ -0,0 +1,542 @@ +% Referenzen für 4ca – Bedrohungsmodellierung / OWASP + +@misc{owasp_top10_2021, + author = {{OWASP Foundation}}, + title = {{OWASP Top 10:2021}}, + year = {2021}, + url = {https://owasp.org/Top10/}, + note = {Abgerufen am 09.06.2026} +} + +@misc{owasp_asvs, + author = {{OWASP Foundation}}, + title = {{Application Security Verification Standard (ASVS) v4.0.3}}, + year = {2021}, + url = {https://owasp.org/www-project-application-security-verification-standard/}, + note = {Abgerufen am 09.06.2026} +} + +@misc{owasp_risk_rating, + author = {{OWASP Foundation}}, + title = {{OWASP Risk Rating Methodology}}, + year = {2021}, + url = {https://owasp.org/www-community/OWASP_Risk_Rating_Methodology}, + note = {Abgerufen am 09.06.2026} +} + +@misc{cwe_mitre, + author = {{MITRE Corporation}}, + title = {{Common Weakness Enumeration (CWE)}}, + year = {2024}, + url = {https://cwe.mitre.org/}, + note = {Abgerufen am 09.06.2026} +} + +@misc{mitre_attack, + author = {{MITRE Corporation}}, + title = {{MITRE ATT\&CK Enterprise Matrix}}, + year = {2024}, + url = {https://attack.mitre.org/}, + note = {Abgerufen am 09.06.2026} +} + +@techreport{nist_sp800_53, + author = {{National Institute of Standards and Technology}}, + title = {{Security and Privacy Controls for Information Systems and Organizations (SP 800-53 Rev. 5)}}, + institution = {NIST}, + year = {2020}, + number = {SP 800-53 Rev. 5}, + doi = {10.6028/NIST.SP.800-53r5} +} + +@techreport{bsi_app31, + author = {{Bundesamt für Sicherheit in der Informationstechnik}}, + title = {{IT-Grundschutz-Baustein APP.3.1: Webanwendungen und Webservices}}, + institution = {BSI}, + year = {2023}, + url = {https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Kompendium/IT_Grundschutz_Kompendium_Edition2023.pdf} +} + +@techreport{nist_pqc_2024, + author = {{National Institute of Standards and Technology}}, + title = {{Post-Quantum Cryptography Standards: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), FIPS 205 (SLH-DSA)}}, + institution = {NIST}, + year = {2024}, + url = {https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization} +} + +@misc{spycloud_2024, + author = {{SpyCloud}}, + title = {{Annual Identity Exposure Report 2024}}, + year = {2024}, + url = {https://spycloud.com/resource/2024-annual-identity-exposure-report/}, + note = {Abgerufen am 09.06.2026} +} + +@misc{mandiant_mtrends_2024, + author = {{Mandiant}}, + title = {{M-Trends 2024: Special Report}}, + year = {2024}, + url = {https://www.mandiant.com/m-trends}, + note = {Abgerufen am 09.06.2026} +} + +@misc{uber_breach_2022, + author = {{Uber Technologies}}, + title = {{Security Update -- September 2022}}, + year = {2022}, + url = {https://www.uber.com/newsroom/security-update/}, + note = {Abgerufen am 09.06.2026} +} + +@misc{capitalone_breach_2019, + author = {Krebs, Brian}, + title = {{Capital One Data Theft Impacts 106M People}}, + howpublished = {KrebsOnSecurity}, + year = {2019}, + url = {https://krebsonsecurity.com/2019/07/capital-one-data-theft-impacts-106m-people/}, + note = {Abgerufen am 09.06.2026} +} + +@misc{twitter_plaintext_2018, + author = {{Twitter}}, + title = {{Keeping your account secure}}, + year = {2018}, + url = {https://blog.twitter.com/en_us/topics/company/2018/keeping-your-account-secure}, + note = {Abgerufen am 09.06.2026} +} + +@misc{cve_log4shell, + author = {{MITRE Corporation}}, + title = {{CVE-2021-44228: Apache Log4j2 Remote Code Execution (Log4Shell)}}, + year = {2021}, + url = {https://nvd.nist.gov/vuln/detail/CVE-2021-44228}, + note = {National Vulnerability Database} +} + +@misc{cve_spring4shell, + author = {{MITRE Corporation}}, + title = {{CVE-2022-22965: Spring Framework Remote Code Execution (Spring4Shell)}}, + year = {2022}, + url = {https://nvd.nist.gov/vuln/detail/CVE-2022-22965}, + note = {National Vulnerability Database} +} + +@misc{cve_confluence_2022, + author = {{MITRE Corporation}}, + title = {{CVE-2022-26134: Confluence Server OGNL Injection}}, + year = {2022}, + url = {https://nvd.nist.gov/vuln/detail/CVE-2022-26134}, + note = {National Vulnerability Database} +} + +@misc{cve_freak, + author = {{MITRE Corporation}}, + title = {{CVE-2015-0204: FREAK – Factoring RSA Export Keys}}, + year = {2015}, + url = {https://nvd.nist.gov/vuln/detail/CVE-2015-0204}, + note = {National Vulnerability Database} +} + +@misc{cve_logjam, + author = {{MITRE Corporation}}, + title = {{CVE-2015-4000: Logjam TLS Downgrade Attack}}, + year = {2015}, + url = {https://nvd.nist.gov/vuln/detail/CVE-2015-4000}, + note = {National Vulnerability Database} +} + +@misc{cve_crime, + author = {{MITRE Corporation}}, + title = {{CVE-2012-4929: CRIME -- Compression Ratio Info-leak Made Easy}}, + year = {2012}, + url = {https://nvd.nist.gov/vuln/detail/CVE-2012-4929}, + note = {National Vulnerability Database} +} + +@misc{cve_jackson_2017, + author = {{MITRE Corporation}}, + title = {{CVE-2017-7525: Jackson-databind Deserialization Vulnerability}}, + year = {2017}, + url = {https://nvd.nist.gov/vuln/detail/CVE-2017-7525}, + note = {National Vulnerability Database} +} + +@misc{cve_jquery_2019, + author = {{MITRE Corporation}}, + title = {{CVE-2019-11358: jQuery Prototype Pollution}}, + year = {2019}, + url = {https://nvd.nist.gov/vuln/detail/CVE-2019-11358}, + note = {National Vulnerability Database} +} + +@misc{cve_dompurify_2020, + author = {{MITRE Corporation}}, + title = {{CVE-2020-26870: DOMPurify Mutation XSS Bypass}}, + year = {2020}, + url = {https://nvd.nist.gov/vuln/detail/CVE-2020-26870}, + note = {National Vulnerability Database} +} + +@misc{cve_exchange_2020, + author = {{MITRE Corporation}}, + title = {{CVE-2020-0688: Microsoft Exchange Server Remote Code Execution}}, + year = {2020}, + url = {https://nvd.nist.gov/vuln/detail/CVE-2020-0688}, + note = {National Vulnerability Database} +} + +@misc{iso_27001, + author = {{International Organization for Standardization}}, + title = {{ISO/IEC 27001:2022 -- Information Security Management Systems}}, + year = {2022}, + url = {https://www.iso.org/standard/82875.html} +} + +@misc{nis2_directive, + author = {{Europäisches Parlament und Rat der Europäischen Union}}, + title = {{Richtlinie (EU) 2022/2555 über Maßnahmen für ein hohes gemeinsames Cybersicherheitsniveau in der Union (NIS2)}}, + year = {2022}, + url = {https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32022L2555} +} + +@misc{dsgvo_art32, + author = {{Europäisches Parlament und Rat der Europäischen Union}}, + title = {{Verordnung (EU) 2016/679 -- Datenschutz-Grundverordnung (DSGVO), Art. 32}}, + year = {2016}, + url = {https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32016R0679} +} + +@misc{fido2_webauthn, + author = {{W3C and FIDO Alliance}}, + title = {{Web Authentication (WebAuthn) Level 2}}, + year = {2021}, + url = {https://www.w3.org/TR/webauthn-2/}, + note = {W3C Recommendation} +} + +@article{bell_lapadula, + author = {Bell, D. E. and LaPadula, L. J.}, + title = {{Secure Computer Systems: Mathematical Foundations}}, + journal = {MITRE Technical Report MTR-2547}, + year = {1973}, + institution = {The MITRE Corporation} +} + +@misc{akamai_soti_2024, + author = {{Akamai Technologies}}, + title = {{State of the Internet / Security: Credential Stuffing Report}}, + year = {2024}, + url = {https://www.akamai.com/resources/state-of-the-internet/soti-security}, + note = {Abgerufen am 09.06.2026} +} + +@misc{hibp, + author = {Hunt, Troy}, + title = {{Have I Been Pwned -- Check if your email has been compromised}}, + year = {2013}, + url = {https://haveibeenpwned.com/}, + note = {Abgerufen am 09.06.2026} +} + +@techreport{rfc9106_argon2, + author = {Biryukov, Alex and Dinu, Daniel and Khovratovich, Dmitry and Josefsson, Simon}, + title = {{Argon2 Memory-Hard Function for Password Hashing and Proof-of-Work Applications (RFC 9106)}}, + institution = {IETF}, + year = {2021}, + number = {RFC 9106}, + doi = {10.17487/RFC9106} +} + +@misc{owasp_sqli_cheatsheet, + author = {{OWASP Foundation}}, + title = {{SQL Injection Prevention Cheat Sheet}}, + year = {2024}, + url = {https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html}, + note = {Abgerufen am 09.06.2026} +} + +@misc{owasp_csrf_cheatsheet, + author = {{OWASP Foundation}}, + title = {{Cross-Site Request Forgery Prevention Cheat Sheet}}, + year = {2024}, + url = {https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html}, + note = {Abgerufen am 09.06.2026} +} + +@misc{doyensec_2023, + author = {{Doyensec}}, + title = {{Threat Intelligence Platform Security Assessment -- Findings Summary}}, + year = {2023}, + note = {Interner Penetrationstest-Bericht; nicht öffentlich zugänglich} +} + +@misc{cve_jenkins_2017, + author = {{MITRE Corporation}}, + title = {{CVE-2017-1000353: Jenkins Remote Code Execution via Unsafe Deserialization}}, + year = {2017}, + url = {https://nvd.nist.gov/vuln/detail/CVE-2017-1000353}, + note = {National Vulnerability Database} +} + +@misc{trusted_types_w3c, + author = {{W3C}}, + title = {{Trusted Types -- W3C Working Draft}}, + year = {2024}, + url = {https://w3c.github.io/trusted-types/dist/spec/}, + note = {Abgerufen am 09.06.2026} +} + +% ── Neue Quellen (3b-Vertiefung) ──────────────────────────────────────────── + +@misc{bsi_grundschutz_online_kurs, + author = {{Bundesamt für Sicherheit in der Informationstechnik}}, + title = {{Online-Kurs IT-Grundschutz -- Lektion 1: Einführung}}, + year = {2024}, + url = {https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/IT-Grundschutz/Zertifizierte-Informationssicherheit/IT-Grundschutzschulung/Online-Kurs-IT-Grundschutz/online-kurs-it-grundschutz_node.html}, + note = {Abgerufen am 09.06.2026} +} + +@misc{bsi_standards, + author = {{Bundesamt für Sicherheit in der Informationstechnik}}, + title = {{BSI-Standards zur Informationssicherheit}}, + year = {2024}, + url = {https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/IT-Grundschutz/BSI-Standards/bsi-standards_node.html}, + note = {Abgerufen am 09.06.2026} +} + +@techreport{bsi_200_2, + author = {{Bundesamt für Sicherheit in der Informationstechnik}}, + title = {{BSI-Standard 200-2: IT-Grundschutz-Methodik}}, + institution = {BSI}, + year = {2017}, + url = {https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/BSI_Standards/standard_200_2.pdf} +} + +@techreport{bsi_200_3, + author = {{Bundesamt für Sicherheit in der Informationstechnik}}, + title = {{BSI-Standard 200-3: Risikoanalyse auf der Basis von IT-Grundschutz}}, + institution = {BSI}, + year = {2017}, + url = {https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/BSI_Standards/standard_200_3.pdf} +} + +@misc{bdsg_2018, + author = {{Bundesrepublik Deutschland}}, + title = {{Bundesdatenschutzgesetz (BDSG) in der Fassung vom 30.06.2017}}, + year = {2017}, + url = {https://www.gesetze-im-internet.de/bdsg_2018/}, + note = {BGBl. I S. 2097} +} + +@techreport{iso_31000, + author = {{International Organization for Standardization}}, + title = {{ISO 31000:2018 -- Risk Management: Guidelines}}, + institution = {ISO}, + year = {2018}, + number = {ISO 31000:2018}, + url = {https://www.iso.org/standard/65694.html} +} + +@misc{iec_62443, + author = {{International Electrotechnical Commission}}, + title = {{IEC 62443: Security for Industrial Automation and Control Systems}}, + year = {2023}, + url = {https://www.iec.ch/iecnorm/4716/} +} + +@misc{iec_61508, + author = {{International Electrotechnical Commission}}, + title = {{IEC 61508: Functional Safety of E/E/PE Safety-Related Systems}}, + year = {2010}, + url = {https://www.iec.ch/functionalsafety/} +} + +@misc{eu_cra, + author = {{Europäisches Parlament und Rat der Europäischen Union}}, + title = {{Verordnung (EU) 2024/2847 -- Cyber Resilience Act (CRA)}}, + year = {2024}, + url = {https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32024R2847} +} + +@misc{mitre_capec, + author = {{MITRE Corporation}}, + title = {{Common Attack Pattern Enumeration and Classification (CAPEC)}}, + year = {2024}, + url = {https://capec.mitre.org/}, + note = {Abgerufen am 09.06.2026} +} + +@misc{enisa_threat_landscape, + author = {{European Union Agency for Cybersecurity (ENISA)}}, + title = {{ENISA Threat Landscape 2024}}, + year = {2024}, + url = {https://www.enisa.europa.eu/publications/enisa-threat-landscape-2024}, + note = {Abgerufen am 09.06.2026} +} + +% ── CWE – Common Weakness Enumeration ─────────────────────────────────────── + +@misc{cwe20, + author = {{MITRE Corporation}}, + title = {{CWE-20: Improper Input Validation}}, + year = {2024}, + url = {https://cwe.mitre.org/data/definitions/20.html}, + note = {Abgerufen am 16.06.2026} +} + +@misc{cwe89, + author = {{MITRE Corporation}}, + title = {{CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)}}, + year = {2024}, + url = {https://cwe.mitre.org/data/definitions/89.html}, + note = {Abgerufen am 16.06.2026} +} + +@misc{cwe287, + author = {{MITRE Corporation}}, + title = {{CWE-287: Improper Authentication}}, + year = {2024}, + url = {https://cwe.mitre.org/data/definitions/287.html}, + note = {Abgerufen am 16.06.2026} +} + +@misc{cwe307, + author = {{MITRE Corporation}}, + title = {{CWE-307: Improper Restriction of Excessive Authentication Attempts}}, + year = {2024}, + url = {https://cwe.mitre.org/data/definitions/307.html}, + note = {Abgerufen am 16.06.2026} +} + +@misc{cwe502, + author = {{MITRE Corporation}}, + title = {{CWE-502: Deserialization of Untrusted Data}}, + year = {2024}, + url = {https://cwe.mitre.org/data/definitions/502.html}, + note = {Abgerufen am 16.06.2026} +} + +@misc{cwe521, + author = {{MITRE Corporation}}, + title = {{CWE-521: Weak Password Requirements}}, + year = {2024}, + url = {https://cwe.mitre.org/data/definitions/521.html}, + note = {Abgerufen am 16.06.2026} +} + +@misc{cwe611, + author = {{MITRE Corporation}}, + title = {{CWE-611: Improper Restriction of XML External Entity Reference}}, + year = {2024}, + url = {https://cwe.mitre.org/data/definitions/611.html}, + note = {Abgerufen am 16.06.2026} +} + +% ── MITRE ATT&CK – Offensive Taktiken ─────────────────────────────────────── + +@misc{t1059, + author = {{MITRE Corporation}}, + title = {{T1059: Command and Scripting Interpreter}}, + year = {2024}, + url = {https://attack.mitre.org/techniques/T1059/}, + note = {Abgerufen am 16.06.2026} +} + +@misc{t1078, + author = {{MITRE Corporation}}, + title = {{T1078: Valid Accounts}}, + year = {2024}, + url = {https://attack.mitre.org/techniques/T1078/}, + note = {Abgerufen am 16.06.2026} +} + +@misc{t1110004, + author = {{MITRE Corporation}}, + title = {{T1110.004: Brute Force -- Credential Stuffing}}, + year = {2024}, + url = {https://attack.mitre.org/techniques/T1110/004/}, + note = {Abgerufen am 16.06.2026} +} + +@misc{t1190, + author = {{MITRE Corporation}}, + title = {{T1190: Exploit Public-Facing Application}}, + year = {2024}, + url = {https://attack.mitre.org/techniques/T1190/}, + note = {Abgerufen am 16.06.2026} +} + +% ── MITRE D3FEND – Defensive Gegenmaßnahmen ───────────────────────────────── + +@misc{d3anci, + author = {{MITRE Corporation}}, + title = {{D3-ANCI: Authentication Cache Invalidation}}, + year = {2024}, + url = {https://d3fend.mitre.org/technique/d3f:AuthenticationCacheInvalidation/}, + note = {Abgerufen am 16.06.2026} +} + +@misc{d3cf, + author = {{MITRE Corporation}}, + title = {{D3-CF: Content Filtering}}, + year = {2024}, + url = {https://d3fend.mitre.org/technique/d3f:ContentFiltering/}, + note = {Abgerufen am 16.06.2026} +} + +@misc{d3ch, + author = {{MITRE Corporation}}, + title = {{D3-CH: Credential Hardening}}, + year = {2024}, + url = {https://d3fend.mitre.org/technique/d3f:CredentialHardening/}, + note = {Abgerufen am 16.06.2026} +} + +@misc{d3cts, + author = {{MITRE Corporation}}, + title = {{D3-CTS: Credential Transmission Scoping}}, + year = {2024}, + url = {https://d3fend.mitre.org/technique/d3f:CredentialTransmissionScoping/}, + note = {Abgerufen am 16.06.2026} +} + +@misc{d3cv, + author = {{MITRE Corporation}}, + title = {{D3-CV: Content Validation}}, + year = {2024}, + url = {https://d3fend.mitre.org/technique/d3f:ContentValidation/}, + note = {Abgerufen am 16.06.2026} +} + +@misc{d3dqsa, + author = {{MITRE Corporation}}, + title = {{D3-DQSA: Database Query String Analysis}}, + year = {2024}, + url = {https://d3fend.mitre.org/technique/d3f:DatabaseQueryStringAnalysis/}, + note = {Abgerufen am 16.06.2026} +} + +@misc{d3ma, + author = {{MITRE Corporation}}, + title = {{D3-MA: Message Authentication}}, + year = {2024}, + url = {https://d3fend.mitre.org/technique/d3f:MessageAuthentication/}, + note = {Abgerufen am 16.06.2026} +} + +@misc{d3mfa, + author = {{MITRE Corporation}}, + title = {{D3-MFA: Multi-factor Authentication}}, + year = {2024}, + url = {https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication/}, + note = {Abgerufen am 16.06.2026} +} + +@misc{d3spp, + author = {{MITRE Corporation}}, + title = {{D3-SPP: Strong Password Policy}}, + year = {2024}, + url = {https://d3fend.mitre.org/technique/d3f:StrongPasswordPolicy/}, + note = {Abgerufen am 16.06.2026} +}