% Referenzen für 4ca - Bedrohungsmodellierung / OWASP @misc{owasp_top10_2021, author = {{OWASP Foundation}}, title = {{OWASP Top 10:2021}}, year = {2021}, url = {https://owasp.org/Top10/}, note = {Abgerufen am 09.06.2026} } @misc{owasp_asvs, author = {{OWASP Foundation}}, title = {{Application Security Verification Standard (ASVS) v4.0.3}}, year = {2021}, url = {https://owasp.org/www-project-application-security-verification-standard/}, note = {Abgerufen am 09.06.2026} } @misc{owasp_risk_rating, author = {{OWASP Foundation}}, title = {{OWASP Risk Rating Methodology}}, year = {2021}, url = {https://owasp.org/www-community/OWASP_Risk_Rating_Methodology}, note = {Abgerufen am 09.06.2026} } @misc{cwe_mitre, author = {{MITRE Corporation}}, title = {{Common Weakness Enumeration (CWE)}}, year = {2024}, url = {https://cwe.mitre.org/}, note = {Abgerufen am 09.06.2026} } @misc{mitre_attack, author = {{MITRE Corporation}}, title = {{MITRE ATT\&CK Enterprise Matrix}}, year = {2024}, url = {https://attack.mitre.org/}, note = {Abgerufen am 09.06.2026} } @techreport{nist_sp800_53, author = {{National Institute of Standards and Technology}}, title = {{Security and Privacy Controls for Information Systems and Organizations (SP 800-53 Rev. 5)}}, institution = {NIST}, year = {2020}, number = {SP 800-53 Rev. 5}, doi = {10.6028/NIST.SP.800-53r5} } @techreport{bsi_app31, author = {{Bundesamt für Sicherheit in der Informationstechnik}}, title = {{IT-Grundschutz-Baustein APP.3.1: Webanwendungen und Webservices}}, institution = {BSI}, year = {2023}, url = {https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Kompendium/IT_Grundschutz_Kompendium_Edition2023.pdf} } @techreport{nist_pqc_2024, author = {{National Institute of Standards and Technology}}, title = {{Post-Quantum Cryptography Standards: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), FIPS 205 (SLH-DSA)}}, institution = {NIST}, year = {2024}, url = {https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization} } @misc{spycloud_2024, author = {{SpyCloud}}, title = {{Annual Identity Exposure Report 2024}}, year = {2024}, url = {https://spycloud.com/resource/2024-annual-identity-exposure-report/}, note = {Abgerufen am 09.06.2026} } @misc{mandiant_mtrends_2024, author = {{Mandiant}}, title = {{M-Trends 2024: Special Report}}, year = {2024}, url = {https://www.mandiant.com/m-trends}, note = {Abgerufen am 09.06.2026} } @misc{uber_breach_2022, author = {{Uber Technologies}}, title = {{Security Update -- September 2022}}, year = {2022}, url = {https://www.uber.com/newsroom/security-update/}, note = {Abgerufen am 09.06.2026} } @misc{capitalone_breach_2019, author = {Krebs, Brian}, title = {{Capital One Data Theft Impacts 106M People}}, howpublished = {KrebsOnSecurity}, year = {2019}, url = {https://krebsonsecurity.com/2019/07/capital-one-data-theft-impacts-106m-people/}, note = {Abgerufen am 09.06.2026} } @misc{twitter_plaintext_2018, author = {{Twitter}}, title = {{Keeping your account secure}}, year = {2018}, url = {https://blog.twitter.com/en_us/topics/company/2018/keeping-your-account-secure}, note = {Abgerufen am 09.06.2026} } @misc{cve_log4shell, author = {{MITRE Corporation}}, title = {{CVE-2021-44228: Apache Log4j2 Remote Code Execution (Log4Shell)}}, year = {2021}, url = {https://nvd.nist.gov/vuln/detail/CVE-2021-44228}, note = {National Vulnerability Database} } @misc{cve_spring4shell, author = {{MITRE Corporation}}, title = {{CVE-2022-22965: Spring Framework Remote Code Execution (Spring4Shell)}}, year = {2022}, url = {https://nvd.nist.gov/vuln/detail/CVE-2022-22965}, note = {National Vulnerability Database} } @misc{cve_confluence_2022, author = {{MITRE Corporation}}, title = {{CVE-2022-26134: Confluence Server OGNL Injection}}, year = {2022}, url = {https://nvd.nist.gov/vuln/detail/CVE-2022-26134}, note = {National Vulnerability Database} } @misc{cve_freak, author = {{MITRE Corporation}}, title = {{CVE-2015-0204: FREAK - Factoring RSA Export Keys}}, year = {2015}, url = {https://nvd.nist.gov/vuln/detail/CVE-2015-0204}, note = {National Vulnerability Database} } @misc{cve_logjam, author = {{MITRE Corporation}}, title = {{CVE-2015-4000: Logjam TLS Downgrade Attack}}, year = {2015}, url = {https://nvd.nist.gov/vuln/detail/CVE-2015-4000}, note = {National Vulnerability Database} } @misc{cve_crime, author = {{MITRE Corporation}}, title = {{CVE-2012-4929: CRIME -- Compression Ratio Info-leak Made Easy}}, year = {2012}, url = {https://nvd.nist.gov/vuln/detail/CVE-2012-4929}, note = {National Vulnerability Database} } @misc{cve_jackson_2017, author = {{MITRE Corporation}}, title = {{CVE-2017-7525: Jackson-databind Deserialization Vulnerability}}, year = {2017}, url = {https://nvd.nist.gov/vuln/detail/CVE-2017-7525}, note = {National Vulnerability Database} } @misc{cve_jquery_2019, author = {{MITRE Corporation}}, title = {{CVE-2019-11358: jQuery Prototype Pollution}}, year = {2019}, url = {https://nvd.nist.gov/vuln/detail/CVE-2019-11358}, note = {National Vulnerability Database} } @misc{cve_dompurify_2020, author = {{MITRE Corporation}}, title = {{CVE-2020-26870: DOMPurify Mutation XSS Bypass}}, year = {2020}, url = {https://nvd.nist.gov/vuln/detail/CVE-2020-26870}, note = {National Vulnerability Database} } @misc{cve_exchange_2020, author = {{MITRE Corporation}}, title = {{CVE-2020-0688: Microsoft Exchange Server Remote Code Execution}}, year = {2020}, url = {https://nvd.nist.gov/vuln/detail/CVE-2020-0688}, note = {National Vulnerability Database} } @misc{iso_27001, author = {{International Organization for Standardization}}, title = {{ISO/IEC 27001:2022 -- Information Security Management Systems}}, year = {2022}, url = {https://www.iso.org/standard/82875.html} } @misc{nis2_directive, author = {{Europäisches Parlament und Rat der Europäischen Union}}, title = {{Richtlinie (EU) 2022/2555 über Maßnahmen für ein hohes gemeinsames Cybersicherheitsniveau in der Union (NIS2)}}, year = {2022}, url = {https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32022L2555} } @misc{dsgvo_art32, author = {{Europäisches Parlament und Rat der Europäischen Union}}, title = {{Verordnung (EU) 2016/679 -- Datenschutz-Grundverordnung (DSGVO), Art. 32}}, year = {2016}, url = {https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32016R0679} } @misc{fido2_webauthn, author = {{W3C and FIDO Alliance}}, title = {{Web Authentication (WebAuthn) Level 2}}, year = {2021}, url = {https://www.w3.org/TR/webauthn-2/}, note = {W3C Recommendation} } @article{bell_lapadula, author = {Bell, D. E. and LaPadula, L. J.}, title = {{Secure Computer Systems: Mathematical Foundations}}, journal = {MITRE Technical Report MTR-2547}, year = {1973}, institution = {The MITRE Corporation} } @misc{akamai_soti_2024, author = {{Akamai Technologies}}, title = {{State of the Internet / Security: Credential Stuffing Report}}, year = {2024}, url = {https://www.akamai.com/resources/state-of-the-internet/soti-security}, note = {Abgerufen am 09.06.2026} } @misc{hibp, author = {Hunt, Troy}, title = {{Have I Been Pwned -- Check if your email has been compromised}}, year = {2013}, url = {https://haveibeenpwned.com/}, note = {Abgerufen am 09.06.2026} } @techreport{rfc9106_argon2, author = {Biryukov, Alex and Dinu, Daniel and Khovratovich, Dmitry and Josefsson, Simon}, title = {{Argon2 Memory-Hard Function for Password Hashing and Proof-of-Work Applications (RFC 9106)}}, institution = {IETF}, year = {2021}, number = {RFC 9106}, doi = {10.17487/RFC9106} } @misc{owasp_sqli_cheatsheet, author = {{OWASP Foundation}}, title = {{SQL Injection Prevention Cheat Sheet}}, year = {2024}, url = {https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html}, note = {Abgerufen am 09.06.2026} } @misc{owasp_csrf_cheatsheet, author = {{OWASP Foundation}}, title = {{Cross-Site Request Forgery Prevention Cheat Sheet}}, year = {2024}, url = {https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html}, note = {Abgerufen am 09.06.2026} } @misc{doyensec_2023, author = {{Doyensec}}, title = {{Threat Intelligence Platform Security Assessment -- Findings Summary}}, year = {2023}, note = {Interner Penetrationstest-Bericht; nicht öffentlich zugänglich} } @misc{cve_jenkins_2017, author = {{MITRE Corporation}}, title = {{CVE-2017-1000353: Jenkins Remote Code Execution via Unsafe Deserialization}}, year = {2017}, url = {https://nvd.nist.gov/vuln/detail/CVE-2017-1000353}, note = {National Vulnerability Database} } @misc{trusted_types_w3c, author = {{W3C}}, title = {{Trusted Types -- W3C Working Draft}}, year = {2024}, url = {https://w3c.github.io/trusted-types/dist/spec/}, note = {Abgerufen am 09.06.2026} } % ── Neue Quellen (3b-Vertiefung) ──────────────────────────────────────────── @misc{bsi_grundschutz_online_kurs, author = {{Bundesamt für Sicherheit in der Informationstechnik}}, title = {{Online-Kurs IT-Grundschutz -- Lektion 1: Einführung}}, year = {2024}, url = {https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/IT-Grundschutz/Zertifizierte-Informationssicherheit/IT-Grundschutzschulung/Online-Kurs-IT-Grundschutz/online-kurs-it-grundschutz_node.html}, note = {Abgerufen am 09.06.2026} } @misc{bsi_standards, author = {{Bundesamt für Sicherheit in der Informationstechnik}}, title = {{BSI-Standards zur Informationssicherheit}}, year = {2024}, url = {https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/IT-Grundschutz/BSI-Standards/bsi-standards_node.html}, note = {Abgerufen am 09.06.2026} } @techreport{bsi_200_2, author = {{Bundesamt für Sicherheit in der Informationstechnik}}, title = {{BSI-Standard 200-2: IT-Grundschutz-Methodik}}, institution = {BSI}, year = {2017}, url = {https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/BSI_Standards/standard_200_2.pdf} } @techreport{bsi_200_3, author = {{Bundesamt für Sicherheit in der Informationstechnik}}, title = {{BSI-Standard 200-3: Risikoanalyse auf der Basis von IT-Grundschutz}}, institution = {BSI}, year = {2017}, url = {https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/BSI_Standards/standard_200_3.pdf} } @misc{bdsg_2018, author = {{Bundesrepublik Deutschland}}, title = {{Bundesdatenschutzgesetz (BDSG) in der Fassung vom 30.06.2017}}, year = {2017}, url = {https://www.gesetze-im-internet.de/bdsg_2018/}, note = {BGBl. I S. 2097} } @techreport{iso_31000, author = {{International Organization for Standardization}}, title = {{ISO 31000:2018 -- Risk Management: Guidelines}}, institution = {ISO}, year = {2018}, number = {ISO 31000:2018}, url = {https://www.iso.org/standard/65694.html} } @misc{iec_62443, author = {{International Electrotechnical Commission}}, title = {{IEC 62443: Security for Industrial Automation and Control Systems}}, year = {2023}, url = {https://www.iec.ch/iecnorm/4716/} } @misc{iec_61508, author = {{International Electrotechnical Commission}}, title = {{IEC 61508: Functional Safety of E/E/PE Safety-Related Systems}}, year = {2010}, url = {https://www.iec.ch/functionalsafety/} } @misc{eu_cra, author = {{Europäisches Parlament und Rat der Europäischen Union}}, title = {{Verordnung (EU) 2024/2847 -- Cyber Resilience Act (CRA)}}, year = {2024}, url = {https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32024R2847} } @misc{mitre_capec, author = {{MITRE Corporation}}, title = {{Common Attack Pattern Enumeration and Classification (CAPEC)}}, year = {2024}, url = {https://capec.mitre.org/}, note = {Abgerufen am 09.06.2026} } @misc{enisa_threat_landscape, author = {{European Union Agency for Cybersecurity (ENISA)}}, title = {{ENISA Threat Landscape 2024}}, year = {2024}, url = {https://www.enisa.europa.eu/publications/enisa-threat-landscape-2024}, note = {Abgerufen am 09.06.2026} } % ── CWE - Common Weakness Enumeration ─────────────────────────────────────── @misc{cwe20, author = {{MITRE Corporation}}, title = {{CWE-20: Improper Input Validation}}, year = {2024}, url = {https://cwe.mitre.org/data/definitions/20.html}, note = {Abgerufen am 16.06.2026} } @misc{cwe89, author = {{MITRE Corporation}}, title = {{CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)}}, year = {2024}, url = {https://cwe.mitre.org/data/definitions/89.html}, note = {Abgerufen am 16.06.2026} } @misc{cwe287, author = {{MITRE Corporation}}, title = {{CWE-287: Improper Authentication}}, year = {2024}, url = {https://cwe.mitre.org/data/definitions/287.html}, note = {Abgerufen am 16.06.2026} } @misc{cwe307, author = {{MITRE Corporation}}, title = {{CWE-307: Improper Restriction of Excessive Authentication Attempts}}, year = {2024}, url = {https://cwe.mitre.org/data/definitions/307.html}, note = {Abgerufen am 16.06.2026} } @misc{cwe502, author = {{MITRE Corporation}}, title = {{CWE-502: Deserialization of Untrusted Data}}, year = {2024}, url = {https://cwe.mitre.org/data/definitions/502.html}, note = {Abgerufen am 16.06.2026} } @misc{cwe521, author = {{MITRE Corporation}}, title = {{CWE-521: Weak Password Requirements}}, year = {2024}, url = {https://cwe.mitre.org/data/definitions/521.html}, note = {Abgerufen am 16.06.2026} } @misc{cwe611, author = {{MITRE Corporation}}, title = {{CWE-611: Improper Restriction of XML External Entity Reference}}, year = {2024}, url = {https://cwe.mitre.org/data/definitions/611.html}, note = {Abgerufen am 16.06.2026} } % ── MITRE ATT&CK - Offensive Taktiken ─────────────────────────────────────── @misc{t1059, author = {{MITRE Corporation}}, title = {{T1059: Command and Scripting Interpreter}}, year = {2024}, url = {https://attack.mitre.org/techniques/T1059/}, note = {Abgerufen am 16.06.2026} } @misc{t1078, author = {{MITRE Corporation}}, title = {{T1078: Valid Accounts}}, year = {2024}, url = {https://attack.mitre.org/techniques/T1078/}, note = {Abgerufen am 16.06.2026} } @misc{t1110004, author = {{MITRE Corporation}}, title = {{T1110.004: Brute Force -- Credential Stuffing}}, year = {2024}, url = {https://attack.mitre.org/techniques/T1110/004/}, note = {Abgerufen am 16.06.2026} } @misc{t1190, author = {{MITRE Corporation}}, title = {{T1190: Exploit Public-Facing Application}}, year = {2024}, url = {https://attack.mitre.org/techniques/T1190/}, note = {Abgerufen am 16.06.2026} } % ── MITRE D3FEND - Defensive Gegenmaßnahmen ───────────────────────────────── @misc{d3anci, author = {{MITRE Corporation}}, title = {{D3-ANCI: Authentication Cache Invalidation}}, year = {2024}, url = {https://d3fend.mitre.org/technique/d3f:AuthenticationCacheInvalidation/}, note = {Abgerufen am 16.06.2026} } @misc{d3cf, author = {{MITRE Corporation}}, title = {{D3-CF: Content Filtering}}, year = {2024}, url = {https://d3fend.mitre.org/technique/d3f:ContentFiltering/}, note = {Abgerufen am 16.06.2026} } @misc{d3ch, author = {{MITRE Corporation}}, title = {{D3-CH: Credential Hardening}}, year = {2024}, url = {https://d3fend.mitre.org/technique/d3f:CredentialHardening/}, note = {Abgerufen am 16.06.2026} } @misc{d3cts, author = {{MITRE Corporation}}, title = {{D3-CTS: Credential Transmission Scoping}}, year = {2024}, url = {https://d3fend.mitre.org/technique/d3f:CredentialTransmissionScoping/}, note = {Abgerufen am 16.06.2026} } @misc{d3cv, author = {{MITRE Corporation}}, title = {{D3-CV: Content Validation}}, year = {2024}, url = {https://d3fend.mitre.org/technique/d3f:ContentValidation/}, note = {Abgerufen am 16.06.2026} } @misc{d3dqsa, author = {{MITRE Corporation}}, title = {{D3-DQSA: Database Query String Analysis}}, year = {2024}, url = {https://d3fend.mitre.org/technique/d3f:DatabaseQueryStringAnalysis/}, note = {Abgerufen am 16.06.2026} } @misc{d3ma, author = {{MITRE Corporation}}, title = {{D3-MA: Message Authentication}}, year = {2024}, url = {https://d3fend.mitre.org/technique/d3f:MessageAuthentication/}, note = {Abgerufen am 16.06.2026} } @misc{d3mfa, author = {{MITRE Corporation}}, title = {{D3-MFA: Multi-factor Authentication}}, year = {2024}, url = {https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication/}, note = {Abgerufen am 16.06.2026} } @misc{d3spp, author = {{MITRE Corporation}}, title = {{D3-SPP: Strong Password Policy}}, year = {2024}, url = {https://d3fend.mitre.org/technique/d3f:StrongPasswordPolicy/}, note = {Abgerufen am 16.06.2026} }