OWASP Cornucopia Ecommerce Website Edition

The Cornucopia: eCommerce Website Edition card deck is a gamified version of OWASPs Secure Coding Practices Quick Reference Guide. The game was created by Colin Watson to help teams perform threat modelling on retail websites.

Cornucopia is based on the popular, general purpose, cybersecurity card-game  Elevation of Privilege invented at Microsoft in 2010. It is a great way to help teams deliver a respectable minimum level of security, to teach security and raise awareness amongst developers, and to catch subtle issues that developers are well placed to identify.

It is also a great way to begin a "shift-left" in eCommerce Website security to an earlier point in the delivery cycle. This, in turn, creates a better working relationship between security / ops teams and developers.

OWASP Cornucopia Cards 

The game features 80 cards. Each card describes, in the abstract, a common error or anti-pattern that allows systems to be vulnerable to attack. These vulnerabilities are chosen from data gathered by web security experts OWASP.

View Product

How to play

OWASP Cornucopia can be played in many ways. Here's one way as to how you can get started.

Preparation:

  1. Obtain a Cornucopia deck.
  2. Choose an application or process to review.
  3. Create a data flow diagram.
  4. Gather 3-6 participants from different roles (e.g., architects, developers, testers).
  5. Prepare prizes for added motivation.

Gameplay:

  • One suit, Cornucopia, acts as the trump suit. Aces are the highest cards.
  • Remove low-value cards and deal the remaining ones.
  • Players take turns playing cards, explaining how the card’s threat applies to the chosen application. Points are given for identifying valid threats.
  • Play continues clockwise, with players trying to win hands by playing higher cards of the same suit or a trump card.
  • The player who wins the round leads the next.

Scoring:

  • Players earn 1 point for identifying a valid threat and 1 point for winning a hand.
  • The player with the most points after all cards are played wins.

Closure:

  • Review all identified threats and align them with security requirements.
  • Create user stories, specifications, and test cases based on the threats for future development.

This video by Grant Ongers is an excellent way to become familiar with the game mechanics: More details on how to play the game can be found here: https://owasp.org/www-project-cornucopia/

Alternative game rules

Beginners can start by removing the Joker cards, adding them later as they become familiar with the game. Apart from the standard "trumps" rules, the game can also be played as "blackjack" to reduce the number of cards per round.

Players are encouraged to practice on imaginary or future applications before critiquing existing ones. Shorter sessions can be achieved by using just one suit or pre-selecting cards to focus on identifying security requirements. Some teams discuss all cards after a round, while others allow players to suggest ideas if someone misses a relevant threat, with bonus points for good contributions.

Remote GamePlay Guide