If you work in an Agile team building web applications, you’ve probably felt the tension between moving fast and staying secure. Enter OWASP Cornucopia - A card game designed to help Agile development teams identify and discuss security requirements during the design and development of web applications. Inspired by Microsoft's Elevation of Privilege (EoP), Cornucopia adapts the format to better address issues specific to web applications.
It introduces application threat modelling in a collaborative, engaging way, especially for teams unfamiliar with STRIDE, DREAD, or other traditional security analysis models.
What is OWASP Cornucopia?
Originally inspired by Microsoft's Elevation of Privilege (EoP) game, Cornucopia puts a web-app-focused spin on threat modelling. It’s built for development teams, especially Agile ones, to spark conversations around common (and not-so-common) security threats.
Think of it like this: each card in the deck represents a potential attack, described in plain language. Your job is to figure out if that attack could work against the app or feature you're building and if so, note it down as something to fix or defend against.
What’s in the Deck?
The Cornucopia deck is split into six suits:
- VE – Data Validation & Encoding
- AT – Authentication
- SM – Session Management
- AZ – Authorization
- CR – Cryptography
- C – Cornucopia (everything else that doesn’t fit into the other suits)
Each suit has 13 cards – Ace through King, plus two Jokers. Unlike traditional playing cards, every Cornucopia card includes a named "attacker" (e.g. William has control over session identifiers) and references to OWASP standards like:
How to Play – A Quick Guide
Here’s a typical way to play Cornucopia in a team setting:
Step 1: Set the Scene
- Pick a feature or app you're working on.
- Bring diagrams, user stories, or anything that shows how it works.
- Gather a group of 3–6 people: developers, architects, testers, product folk – and ideally someone who knows a bit about security.
- Bonus: have snacks or prizes (think pizza, chocolate, or bragging rights).
Step 2: Deal the Cards
- Shuffle the deck.
- Remove the Jokers and a few of the low-number Cornucopia cards (2s, 3s, 4s) to even things out.
- Deal all cards evenly to players.
Step 3: Start Playing
- Choose someone at random to go first.
- They play any card except a Cornucopia card (those are the “trumps”).
- Each player, in turn, must play a card from the same suit if they have one. If not, they can play any card.
- When you play a card, read it aloud and explain how that threat might apply to your app. No need to fix it yet, just surface the risk.
- The highest card of the suit wins the round unless someone plays a higher Cornucopia card.
- Winner of the round leads the next.
Step 4: Score It
- +1 point for identifying a valid threat
- +1 point if your card wins the round
- Highest score at the end wins the game
Step 5: Wrap-Up
- Review all identified threats.
- Map to OWASP/SCP/ASVS/SAFECode references.
- Create user stories, specifications, and test cases for your backlog.
Tip: have someone take notes as you go, ideally someone not playing. These notes will become security stories or tasks later.
Just Getting Started? Keep It Simple.
If you’re new to Cornucopia, start by removing the Aces and Jokers. You can add them back in once everyone’s more comfortable with the game.
The standard rules follow a classic trump-style card game, but you can also play it like blackjack (21) to shorten the rounds.
Rather than jumping into a real application, try practising with a fictional or upcoming one. This helps the team focus on learning without the pressure of finding real flaws.
To keep things manageable:
- Use just one suit for a short session.
- Play one round per day over a week.
- Pre-select cards to focus only on threat discovery.
Some teams prefer to play a full hand and then discuss the threats at the end of each round. That’s perfectly fine.
If a player misses a valid threat, let others suggest ideas, and maybe score the point instead. You can also reward especially sharp insights with bonus points.
And yes, you can play solo. But bringing in more people always leads to better discussions.
You can also customise the deck. If your language/framework (e.g. Spring, Rails, ASP.NET) already prevents certain attacks, feel free to remove those cards. Or tailor the game to match compliance standards by picking cards relevant to PCI DSS, for example.
The best part about Cornucopia is that it doesn’t require you to be a security expert to contribute. It just helps your team have better conversations around security, earlier in the process. And that makes for better software.
So the next time you're planning a sprint, consider dealing out a few cards.
