My shopping cart
Your cart is currently empty.Continue Shopping
The Cornucopia: eCommerce Website Edition card deck is a gamified version of OWASPs Secure Coding Practices Quick Reference Guide. The game was created by Colin Watson to help teams perform threat modelling on retail websites.
Cornucopia is based on the popular, general purpose, cybersecurity card-game Elevation of Privilege invented at Microsoft in 2010. It is a great way to help teams deliver a respectable minimum level of security, to teach security and raise awareness amongst developers, and to catch subtle issues that developers are well placed to identify.
It is also a great way to begin a "shift-left" in eCommerce Website security to an earlier point in the delivery cycle. This, in turn, creates a better working relationship between security / ops teams and developers.
The game features 80 cards. Each card describes, in the abstract, a common error or anti-pattern that allows systems to be vulnerable to attack. These vulnerabilities are chosen from data gathered by web security experts OWASP.
The Best Practices for Securing E-commerce Special Interest Group is a part of the PCI Security Standards Council. The Council defines minimum standards for the handling of credit card information. Buying or building a PCI compliant software solution is essential if you want to take credit card payments online.
The SIG recommends "Organizations should familiarize themselves with industry-accepted best practices and guidelines for securing
e-commerce environments". Cornucopia is given as an example of such resources in the April 2017 information supplement "Best Practices for Securing E-commerce" and the January 2013 "PCI DSS E-commerce Guidelines v2"
Colin Watson's introductory video is an excellent way to become familiar with the game mechanics: More details on how to play the game can be found here: https://owasp.org/www-project-cornucopia/
Elevation of Privilege, Cyber Security Cornucopia and OWASP Cornucopia are great games to help software delivery teams to be more aware of threat models and actively seek out specific threats.
Many of the advantages of the game are cognitive or psychological and we believe that playing the game with physical cards plays to its strengths while playing to human strengths.
Since it is difficult to play a physical card game at a table, at the moment, this guide hopes to provide a framework for facilitators to setup games through video calls.