OWASP Snakes & Ladders
7.9 OWASP Snakes and Ladders
OWASP Snakes & Ladders is an educational project based on the popular board game. It uses gamification to promote awareness of application security controls and risks, and in particular knowledge of other OWASP documents and tools.
This documentation project is an OWASP Lab project, aimed at security builders and defenders.
What is it?
Yes, it really is the snakes & ladders game, but for web and mobile application security. It is played by two competing teams, possibly accompanied by beer and pretzels.
In the board game for web applications, the virtuous behaviours (ladders) are secure coding practices (using the OWASP Proactive Controls) and the vices (snakes) are application security risks from the OWASP Top Ten 2017 version.
The web application version can be downloaded for various languages:
The board game for mobile applications uses the mobile controls detailed in the OWASP Mobile Top 10 as the virtuous behaviours. The vices are the Mobile Top 10 risks from the 2014 version of the project.
The mobile application version is available as a download in English and Japanese
Why use it?
This board game was created so that it could be used as an ice-breaker in application security training. It also has wider appeal as learning materials for developers or simply as a promotional hand-out.
To cover all of that, the Snakes & Ladders project team summarise it as:
“OWASP Snakes and Ladders is meant to be used by software programmers, big and small”
The game is quite lightweight; so it is meant to be just some fun with some learning attached, and is not intended to have the same rigour or depth as the card game Cornucopia.
When the project was first created there was a print run of the game on heavy duty paper. These were available at conferences and meetings - they were also available to be purchased online but this last option no longer seems to be available.
References
- OWASP [Snakes & Ladders][snakes
- OWASP Proactive Controls
- OWASP Top Ten 2017 version
- OWASP Mobile Top 10
- OWASP Cornucopia.
The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.
\newpage