OWASP Cornucopia Ecommerce Website Edition

The Cornucopia: eCommerce Website Edition card deck is a gamified version of OWASPs Secure Coding Practices Quick Reference Guide. The game was created by Colin Watson to help teams perform threat modelling on retail websites.

Cornucopia is based on the popular, general purpose, cybersecurity card-game  Elevation of Privilege invented at Microsoft in 2010. It is a great way to help teams deliver a respectable minimum level of security, to teach security and raise awareness amongst developers, and to catch subtle issues that developers are well placed to identify.

It is also a great way to begin a "shift-left" in eCommerce Website security to an earlier point in the delivery cycle. This, in turn, creates a better working relationship between security / ops teams and developers.

OWASP Cornucopia Cards 

The game features 80 cards. Each card describes, in the abstract, a common error or anti-pattern that allows systems to be vulnerable to attack. These vulnerabilities are chosen from data gathered by web security experts OWASP.

View Product

Relationship with PCI DSS for Ecommerce Websites 

The Best Practices for Securing E-commerce Special Interest Group is a part of the PCI Security Standards Council. The Council defines minimum standards for the handling of credit card information. Buying or building a PCI compliant software solution is essential if you want to take credit card payments online.

The SIG recommends "Organizations should familiarize themselves with industry-accepted best practices and guidelines for securing
e-commerce environments". Cornucopia is given as an example of such resources in the April 2017 information supplement "Best Practices for Securing E-commerce" and the January 2013 "PCI DSS E-commerce Guidelines v2

How to play OWASP Cornucopia

Colin Watson's introductory video is an excellent way to become familiar with the game mechanics: More details on how to play the game can be found here:https://owasp.org/www-project-cornucopia/

How to play OWASP Cornucopia remotely?

We believe that playing the game with physical cards plays to its strengths while playing to human strengths.

This guide hopes to provide a framework for facilitators to setup the game using physical cards through video calls.

Remote GamePlay Guide