OWASP Cornucopia
OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology-agnostic.
Introduction
The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, to identify application security requirements and develop security-based user stories. Although the idea had been waiting for enough time to progress it, the final motivation came when SAFECode published its Practical Security Stories and Security Tasks for Agile Development Environments in July 2012. Cornucopia was created and first used for developer training in August 2012.
The Microsoft SDL team had already published its super Elevation of Privilege: The Threat Modeling Game (EoP) but that did not seem to address the most appropriate kind of issues that web application development teams mostly have to address. EoP is a great concept and game strategy, and was published under a Creative Commons Attribution License. Cornucopia is based the concepts and game ideas in EoP, but those have been modified to be more relevant to the types of issues website app and mobile app developers encounter. It attempts to introduce threat-modelling ideas into development teams that use Agile methodologies, or are more focused on web application weaknesses than other types of software vulnerabilities or are not familiar with STRIDE and DREAD.
To start using Cornucopia:
- Either: Obtain or buy a pre-printed deck of cards
- Or: Download the document
- Print the cards onto plain paper or pre-scored card
- Cut/separate the individual cards
- Identify an application, module or component to assess
- Invite business owners, architects, developers, testers along for a card game
- Get those infosec folk to provide chocolate, pizza, beer, flowers or all four as prizes
- Select a portion of the deck to start with
- Play the game to discuss & document security requirements (and to win rounds)
- Remember, points make prizes!
The Card Decks
Both current decks have six suits and there are also two Joker cards. Each suit contains 13 cards (Ace, 2-10, Jack, Queen and King).
Website App Edition (previously called Ecommerce Website Edition)
Instead of EoP’s STRIDE suits, Cornucopia suits for the Website App Edition were selected based on the structure of the OWASP Secure Coding Practices - Quick Reference Guide (SCP). The content was mainly drawn from the SCP but with additional consideration of sections in the OWASP Application Security Verification Standard, the OWASP Web Security Testing Guide and David Rook’s Principles of Secure Development. These provided five suits, and a sixth called “Cornucopia” was created for everything else:
- Data validation and encoding
- Authentication
- Session management
- Authorization
- Cryptography
- Cornucopia
Mobile App Edition
The second Cornucopia deck, the “Mobile App Edition”, follows the same principles and game rules as the original OWASP Cornucopia, but has different suits based on the MASVS categories, in addition to the Cornucopia suit:
- Platform & Code
- Authentication & Authorization
- Network & Storage
- Resilience
- Cryptography
- Cornucopia
Mappings
The other driver for Cornucopia was to link the attacks with requirements and verification techniques. An initial aim had been to reference CWE weakness IDs, but these proved too numerous, and instead it was decided to map each card to CAPEC software attack pattern IDs which themselves are mapped to CWEs, so the desired result is achieved.
Each Website App Edition card is also mapped to the 36 primary security stories in the SAFECode document, as well as to the OWASP SCP v2, ASVS v4.0.3 and AppSensor (application attack detection and response) to help teams create their own security-related stories for use in Agile processes.
Likewise, each Mobile App Edition is mapped to CAPEC and the SAFECode stories, but instead of SCP, ASVS and AppSensor, each card is mapped to OWASP’s Mobile Application Security Verification Standard (MASVS) v2.0 and Mobile Application Security Testing Guide (MASTG) v2.0.
Licensing
OWASP Cornucopia is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar licence to this one.
© OWASP Foundation
Other Security Gamification
If you are interested in using gaming for security, also see Elevation of Privilege: The Threat Modeling Game, Security Cards from the University of Washington, the commercial card game Control-Alt-Hack (presentation), OWASP Snakes and Ladders, OWASP Cumulus, and web application security training tools incorporating gamification such as OWASP Hackademic Challenges Project, OWASP Security Shepherd and ITSEC Games.
Additionally, Adam Shostack maintains a list of tabletop security games and related resources at Tabletop Security Games + Cards.
Get the Cards
The primary source document is a [Word document]([(https://github.com/OWASP/cornucopia/releases/tag/v2.0.0]).
However, pre-printed card decks may be more useful, or there are links to the source design files for the cards themselves (see links underneath). You can also choose to play the OWASP Cornucopia Website App Edition and Mobile App Edition online at copi.owasp.org
Printed
OWASP no longer has a stock of printed decks.
OWASP does not endorse or recommend commercial products or services. However, Agile Stationary offer large print (v1.20) decks at a discount to OWASP Members. They also offer a croupier to help you distribute cards to team members. Also, dotNET lab sell a printed deck which complements their online reference.
Print your own
There are many ways to print copies of the card decks yourself:
- Download the free Adobe Illustrator files and get them professionally printed;
- Print the Word document onto business card blanks;
- Print the Word document onto normal card and cut the cards out individually using the guide; or
- Generate your own cards from the free source XML data file in the repository.
Source files
Source code to generate the Word document, PDFs and InDesign files for printing are maintained in our Github repository Regarding printing the decks. Please read: https://github.com/OWASP/cornucopia?tab=readme-ov-file#printing
Cornucopia - Ecommerce Website Edition:
The current version of Cornucopia Website App Edition guides with cards (v2.00 with updated mapping to ASVS v4.0.3):
v2.0x (current version)
Print-ready design files
- Website App Edition 2.0 card decks and leaflets: EN, ES, FR, PT-BR, NL, NO-NB
- Mobile App Edition 1.0 card decks and leaflets: EN
Print ready files printed in time for OWASP Global AppSec 2024 Lisbon (EN)
How to Play
It is possible to play Cornucopia in many different ways. Here is one way, and explained in a YouTube video.
Primary method
A - Preparations
A1. Obtain a deck, or print your own Cornucopia deck and separate/cut out the cards
A2. Identify an application or application process to review; this might be a concept, design or an actual implementation
A3. Create a data flow diagram
A4. Identify and invite a group of 3-6 architects, developers, testers and other business stakeholders together and sit around a table (try to include someone fairly familiar with application security)
A5. Have some prizes to hand (gold stars, chocolate, pizza, beer or flowers depending upon your office culture). See our “Prizes and Swags” section for ideas.
B - Play
One suit - Cornucopia - acts as trumps. Aces are high (i.e. they beat Kings). It helps if there is someone dedicated to documenting the results who is not playing.
B1. Remove the Jokers and a few low-score (2, 3, 4) cards from Cornucopia suit to ensure each player will have the same number of cards
B2. Shuffle the pack and deal all the cards
B3. To begin, choose a player randomly who will play the first card - they can play any card from their hand except from the trump suit - Cornucopia
B4. To play a card, each player must read it out aloud, and explain how (or not) the threat could apply (the player gets a point for attacks that work, and the group thinks it is an actionable bug) - don’t try to think of mitigations at this stage, and don’t exclude a threat just because it is believed it is already mitigated - someone record the card on the score sheet
B5. Play clockwise, each person must play a card in the same way; if you have any card of the matching lead suit you must play one of those, otherwise they can play a card from any other suit. Only a higher card of the same suit, or the trump suit Cornucopia, wins the hand.
B6. The person who wins the round, leads the next round (i.e. they play first), and thus defines the next lead suit
B7. Repeat until all the cards are played
C - Scoring
The objective is to identify applicable threats, and win hands (rounds):
C1. Score +1 for each card you can identify as a valid threat to the application under consideration
C2. Score +1 if you win a round
C3. Once all cards have been played, whoever has the most points wins
D - Closure
D1. Review all the applicable threats and the matching security requirements
D2. Create user stories, specifications and test cases as required for your development methodology
See Márk Vinkovits leading a threat modelling talk and group session playing Cornucopia in the OWASP track @hacktivityconf 1510.
Alternative game rules
- If you are new to the game, remove the two Joker cards to begin with. Add the Joker cards back in once people become more familiar with the process. Apart from the “trumps card game” rules described above which are very similar to the EoP, the deck can also be played as the “twenty-one card game” (also known as “pontoon” or “blackjack”) which normally reduces the number of cards played in each round.
- Practice on an imaginary application, or even a future planned application, rather than trying to find fault with existing applications until the participants are happy with the usefulness of the game.
- Consider just playing with one suit to make a shorter session – but try to cover all the suits for every project. Or even better just play one hand with some pre-selected cards, and score only on the ability to identify security requirements. Perhaps have one game of each suit each day for a week or so, if the participants cannot spare long enough for a full deck.
- Some teams have preferred to play a full hand of cards, and then discuss what is on the cards after each round (instead of after each person plays a card).
- Another suggestion is that if a player fails to identify the card is relevant, allow other players to suggest ideas, and potentially let them gain the point for the card. Consider allowing extra points for especially good contributions.
- You can even play by yourself. Just use the cards to act as thought-provokers. Involving more people will be beneficial though.
- In Microsoft’s EoP guidance, they recommend cheating as a good game strategy.
Frequently Asked Questions
Can I copy or edit the game?
Yes of course. All OWASP materials are free to do with as you like provided you comply with the Creative Commons Attribution-ShareAlike 3.0 license. Perhaps if you create a new version, you might donate it to the OWASP Cornucopia Project?
How can I get involved?
Please send ideas or offers of help to the project’s List/Group.
How were the attackers’ names chosen?
EoP begins every description with words like “An attacker can…”. These have to be phrased as an attack but I was not keen on the anonymous terminology, wanting something more engaging, and therefore used personal names. These can be thought of as external or internal people or aliases for computer systems. But instead of just random names, I thought how they might reflect the OWASP community aspect. Therefore, apart from “Alice and Bob”, the original Ecommerce Website Edition used the given (first) names of current and recent OWASP employees and Board members (assigned in no order), and then randomly selected the remaining 50 or so names from the current list of paying individual OWASP members. No name was used more than once, and where people had provided two personal names, we dropped one part to try to ensure no-one can be easily identified. Names were not deliberately allocated to any particular attack, defence or requirement. The cultural and gender mix simply reflects theses sources of names, and is not meant to be world-representative. Some names have been changed over the years to include some more recent project volunteers.
Why aren’t there any images on the card faces?
There is quite a lot of text on the cards, and the cross-referencing takes up space too. But it would be great to have additional design elements included.
Are the attacks ranked by the number on the card?
Only approximately. The risk will be application and organisation dependent, due to varying security and compliance requirements, so your own severity rating may place the cards in some other order than the numbers on the cards.
How long does it take to play a round of cards using the full deck?
This depends upon the amount of discussion and how familiar the players are with application security concepts. But perhaps allow 1.5 to 2.0 hours for 4-6 people.
What sort of people should play the game?
Always try to have a mix of roles who can contribute alternative perspectives. But include someone who has a reasonable knowledge of application vulnerability terminology. Otherwise try to include a mix of architects, developers, testers and a relevant project manager or business owner.
Who should take notes and record scores?
It is better if that someone else, not playing the game, takes notes about the requirements identified and issues discussed. This could be used as training for a more junior developer, or performed by the project manager. Some organisations have made a recording to review afterwards when the requirements are written up more formally.
Should we always use the full deck of cards?
No. A smaller deck is quicker to play. Start your first game with only enough cards for two or three rounds. Always consider removing cards that are not appropriate at all of the target application or function being reviewed. For the first few times people play the game it is also usually better to remove the Aces and the two Jokers. It is also usual to play the game without any trumps suit until people are more familiar with the idea.
What should players do when they have an Ace card that says “invented a new X attack”?
The player can make up any attack they think is valid, but must match the suit of the card e.g. data validation and encoding). With players new to the game, it can be better to remove these to begin with.
I don’t understand what the attack means on each card - is there more detailed information?
Yes, the Wiki Deck at was created to help players understand the attacks. See Wiki Deck.
Acknowledgements
Volunteers
Cornucopia is developed, maintained, updated and promoted by a worldwide team of volunteers. The contributors to date have been:
- Artim Banyte
- Simon Bennetts
- Thomas Berson
- Tom Brennan
- Graham Bryant
- Fabio Cerullo
- Oana Cornea
- Johanna Curiel
- Todd Dahl
- Ruggero DallAglio
- Luis Enriquez
- André Ferreira
- Ken Ferris
- Darío De Filippis
- Norbert Gaspar
- Spyros Gasteratos
- Sebastien Gioria
- Xavier Godard
- Tobias Gondrom
- Timo Goosen
- Anthony Harrison
- Martin Haslinger
- John Herrlin
- Jerry Hoff
- Toby Irvine
- Marios Kourtesis
- Franck Lacosta
- Mathias Lemaire
- Antonis Manaras
- Jim Manico
- Mark Miller
- Cam Morris
- Grant Ongers
- Susana Romaniz
- Ravishankar Sahadevan
- Tao Sauvage
- Max Alejandro Gómez Sánchez Vergaray
- Johan Sydseter
- Wagner Voltz
- Stephen de Vries
- Colin Watson
Please let us know if we have missed anyone from this list.
Others
- Adam Shostack and the Microsoft SDL Team for the Elevation of Privilege (EoP) Threat Modelling Game, published under a Creative Commons Attribution license, as the inspiration for Cornucopia and from which many ideas, especially the game theory, were copied.
- Keith Turpin and contributors to the “OWASP Secure Coding Practices - Quick Reference Guide”, originally donated to OWASP by Boeing, which is used as the primary source of security requirements information to formulate the content of the cards.
- Contributors, supporters, sponsors and volunteers to the OWASP ASVS, AppSensor, Web Framework Security Matrix and MASVS/MASTG projects, Mitre’s Common Attack Pattern Enumeration and Classification (CAPEC), and SAFECode’s “Practical Security Stories and Security Tasks for Agile Development Environments” which are all used in the cross-references provided.
- Playgen for providing an illuminating afternoon seminar on task gamification, and tartanmaker.com for the online tool to help create the original card back pattern.
- Blackfoot UK Limited for creating and donating print-ready design files, the OWASP Foundation for instigating the creation of an OWASP-branded box and leaflet, and Secure Delivery Ltd for developing and donating Copi, the platform to play Cornucopia and EoP online.
- OWASP’s hard-working employees.
- Current and past OWASP Cornucopia project contributors.
- Colin Watson as author of OWASP Cornucopia Ecommerce Edition, the original card deck.
Road Map
v2.x
Below is a preliminary summary of our wishes, dreams and aspirations for Cornucopia. If you have suggestions, ideas, please feel free to discuss them on our email list or submit them to our list of issues in our repository. If you feel like and have the oportunity to help with any of the issues below, do not hesitate to get in touch.
Ordered alphabeticly and not according to priority.
- Build the requirement map on the card using OpenCRE for easier maintainence and collaboration. cornucopia #595
- Endpoint per card with more information available on copi. copi #6
- Ensure the converter can create print-ready proofs for print-on-demand jobs.
- Include QR codes on the Cornucopia cards. cornucopia #382
- Language review of the existing translations. cornucopia #596
- Migrate the wiki deck to github wiki. cornucopia #1
- Seek worldwide translators and incorporate additional translations for other languages.
Getting Involved
Involvement in the development and promotion of Cornucopia is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help are listed below.
Localization
Are you fluent in another language? Can you help translate Cornucopia into that language? Note this is a very large task due to the number of documents involved, but the strings are now all available in textual data files.
Use and Promote the Cornucopia Card Decks
Please help raise awareness of Cornucopia by:
- Printing dcks of cards and giving them away
- Using Cornucopia with specifiers, architects, designers, developers, testers and others, in part to train them, but also to solicit feedback on their usability, practicality and appropriateness for their work
- Creating videos about how to play the game
- Developing a mobile app to play the game
Feedback
Please use the friendly project Google Group for feedback:
- What do like?
- What don’t you like?
- What cards don’t make sense?
- How could the guidance be improved?
- What other decks would you like to see?
Keep the Cards Updated
As the source referenced documents change, we have to update the decks. You may also find errors and omissions. In the first instance, please send a message to the project’s Google Group if you have identified errors & omissions, have some time to maintain the source documents, or can help in other ways.
Create a New Deck
The first deck, Cornucopia Ecommerce Website Edition, has been renamed Cornucopia Website App Edition and is currently available in six languages. There is also a mobile app specific deck called Cornucopia Mobile App Edition available in English only. Do you have an idea for your own application security requirements card deck?
Prizes and Swags
We keep a large selection of design files that can be used for promoting, creating prizes and swag gifts. Here are some ideas, but feel free to use your imagination and come up with your own.
The Back of the card case
The back of our physical decks has room for placing your own logo as a sticker, if you are organizing a Cornucopia session.
The max logo sizes are:
Tarot: 75 mm x 40 mm Bridge: 58 mm x 28 mm
Stickers
T-shirts
Cups and mugs
Where to find the design files
Our designs are completly free to use for prizes and swag gifts. Download them from owasp/cornucopia on github.