From 3c17b300ed0d3dba21c8296cdecb830baa7580f0 Mon Sep 17 00:00:00 2001 From: Johan Sydseter Date: Sat, 23 May 2026 13:48:27 +0200 Subject: [PATCH 1/6] Remove information that is out-of-date and references that now is available at the cornucopia website --- .../01-threat-modeling/04-cornucopia.md | 135 ++++-------------- 1 file changed, 26 insertions(+), 109 deletions(-) diff --git a/docs/en/04-design/01-threat-modeling/04-cornucopia.md b/docs/en/04-design/01-threat-modeling/04-cornucopia.md index 10e890cb..8e4be443 100644 --- a/docs/en/04-design/01-threat-modeling/04-cornucopia.md +++ b/docs/en/04-design/01-threat-modeling/04-cornucopia.md @@ -1,83 +1,29 @@ ![Cornucopia logo](../../../assets/images/logos/cornucopia.png "OWASP Cornucopia"){ align=right width=180 } +#### What is Cornucopia? + OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology-agnostic. The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, to identify application security requirements and develop security-based user stories. [Cornucopia][cornucopia] is an OWASP production project. The cards can be [downloaded][cornucopia-cards] and printed or [bought online][online] from its website. -It is also possible to play OWASP Cornucopia online using the cornucopia game engine called [Copi][copi]. Using the -[online game engine][copi], it is possible to play: - -* [OWASP Cornucopia Website App][start-game] to gamify threat modeling and requirement analysis for website apps -* [OWASP Cornucopia Mobile App][start-game] to gamify threat modeling and requirement analysis for mobile apps -* [Elevation of Privilege][eop] to do general threat modeling -* [Elevation of MLSec][mlsec] for threat modeling applications that uses machine learning or Gen AI -* [OWASP Cumulus][cumulus] for threat model cloud infrastructure - -#### What is Cornucopia? - -Cornucopia provides a [set of cards][cornucopia-browser] designed to gamify threat modeling activities, -helping agile development teams to identify weaknesses in applications and then record remediations or requirements. - -There are three versions of the Cornucopia deck of threat modeling cards: - -* Website App Edition -* Mobile App Edition -* Enterprise App Edition (legacy) - -The decks come with several suits according to the application, and always contain an overall 'Cornucopia' suit. - -Cornucopia can be played in many different ways, there is no one way, -and there is a suggested [set of rules][cornucopia-play] to start the game off. -Cornucopia provides a [score sheet][cornucopia-score] to can help keep track of the game session and to record outcomes. - -#### Website App Edition - -Each card in the Website App deck describes a common error or anti-pattern that allows systems to be vulnerable to attack. -Vulnerabilities are arranged in domains as five suits with the additional Cornucopia suit ranging across these domains: - -* Data Validation and Encoding -* Authentication -* Session Management -* Authorization -* Cryptography -* Cornucopia - -To provide context the Cornucopia Website App cards reference other projects: - -* OWASP Application Security Verification Standard ([ASVS][asvs]) -* OWASP Developer Guide ([Web Application Checklist][devguide]) -* STRIDE -* MITRE's Common Attack Pattern Enumeration and Classification ([CAPEC][capec]) -* [SAFEcode][safecode] +It is also possible to play OWASP Cornucopia online using the cornucopia game engine called [Copi][copi]. +The game engine has also a broad selection of other EoP related games. -#### Mobile App Edition - -Similarly to the website application deck, the mobile application deck has five domains/suits, -with Cornucopia cross domain: - -* Platform and Code -* Authentication and Authorization -* Network and Storage -* Resilience -* Cryptography -* Cornucopia - -For context the Cornucopia Mobile App cards reference these other projects: - -* OWASP Mobile Application Security Verification Standard ([MASVS][masvs]) -* OWASP Mobile Application Security Testing Guide ([MASTG][mastg]) -* MITRE's Common Attack Pattern Enumeration and Classification ([CAPEC][capec]) -* [SAFEcode][safecode] - -#### Ecommerce Website Edition +#### Why use it? -This is the original Cornucopia deck and has the same domains/suits, including the Cornucopia cross domain suit, -as the Website App Edition. Some of the vulnerabilities are specific to Ecommerce, -but it references the same projects as the website edition. +The [OWASP Cornucopia][cornucopia] card game is designed to help developers think about possible threats in a solution +design, and derive a set of security requirements to build against. Team members are each dealt cards that describe +particular threats. They then take turns trying to make a case for their particular threat, posing a risk to the solution +design, scoring points if they are able to do so. -#### Why use it? +OWASP Cornucopia uses threats grouped into areas that are particularly relevant to software developers, such as AI, authentication, authorisation, +cloud, data validation & encoding, DevOps, and frontend (client-side development). +The threats are derived from various standards, OWASP Top 10 lists, guides, +and other lists. For a full list and to find out how you can acquire and +play their list of games, see their website at +[cornucopia.owasp.org][mapping]. Cornucopia is useful for both requirements analysis and threat modeling, providing gamification of these activities within the development lifecycle. @@ -87,63 +33,34 @@ The outcome of the game is to identify possible threats and propose remediations #### How to use Cornucopia +Cornucopia can be played in many different ways, there is no one way, +and there is a suggested [set of rules][cornucopia-play] to start the game off. +[OWASP Threat Dragon][threat-dragon] also has a diagram called "EoP Games" that allowes the players to link the card that +scores directly to a threat model to simplify security requirement analysis. + The OWASP Spotlight series provides an excellent overview of Cornucopia and how it can be used for gamification: 'Project 16 - [Cornucopia][spotlight16]'. [Videos on the OWASP Cornucopia website][cornucopia-play] also demonstrate several -ways the game can be utilized. - -Ideally Cornucopia is played in person using physical cards, -with the development team and security architects in the same room. -The application should already have been described by an architecture diagram or data flow diagram -so that the players have something to refer to during the game. - -The suggested order of play is: - -1. Pre-sort: the deck, some cards may not be relevant for the web application -2. Deal: the cards equally to the players -3. Play: the players take turns to select a card -4. Describe: the player describes the possible attack using the card played -5. Convince: the other players have to be convinced that the attack is valid -6. Score: award points for a successful attack -7. Follow suit: the next player has to select a card from the same suit -8. Winner: the player with the most points -9. Follow up: each valid threat should be recorded and acted upon - -Remember that the outcome of the game is to identify possible threats and propose remediations, -as well as having a good time. +ways the game can be utilized. There is also a [OWASP 25th Anniversary Video][owasp25th] that gives a short presentation on the games and how to use it. #### References -* Application Security Verification Standard, [ASVS][asvs] -* Common Attack Pattern Enumeration and Classification, [CAPEC][capec] -* [Cornucopia][cornucopia] -* Mobile Application Security Verification Standard, [MASVS][masvs]) -* Mobile Application Security Testing Guide, [MASTG][mastg]) -* [SAFEcode][safecode] +* [OWASP Cornucopia Website][cornucopia] * [Spotlight][spotlight16] on Cornucopia -* OWASP Developer Guide ([Web Application Checklist][devguide]) ---- The OWASP Developer Guide is a community effort; if there is something that needs changing then [submit an issue][issue060104] or [edit on GitHub][edit060104]. -[asvs]: https://owasp.org/www-project-application-security-verification-standard/ -[capec]: https://capec.mitre.org/ [cornucopia]: https://cornucopia.owasp.org -[cornucopia-browser]: https://cornucopia.owasp.org/cards [cornucopia-cards]: https://cornucopia.owasp.org/printing#Current-printable-version -[cornucopia-score]: https://owasp.org/www-project-cornucopia/assets/files/Cornucopia-scoresheet.pdf [cornucopia-play]: https://cornucopia.owasp.org/how-to-play [copi]: https://copi.owasp.org -[cumulus]: https://github.com/OWASP/cumulus -[eop]: https://github.com/adamshostack/eop +[devguide]: https://devguide.owasp.org/en/04-design/02-web-app-checklist/ [edit060104]: https://github.com/OWASP/DevGuide/blob/main/docs/en/04-design/01-threat-modeling/04-cornucopia.md [issue060104]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2004-design/01-threat-modeling/04-cornucopia -[mastg]: https://mas.owasp.org/MASTG/ -[masvs]: https://mas.owasp.org/MASVS/ -[mlsec]: https://github.com/kantega/elevation-of-mlsec +[mapping]: https://cornucopia.owasp.org/about#Mappings [online]: https://cornucopia.owasp.org/webshop -[safecode]: https://safecode.org/ -[devguide]: https://devguide.owasp.org/en/04-design/02-web-app-checklist/ +[owasp25th]: https://www.youtube.com/watch?v=KmjUM0EF_24 [spotlight16]: https://youtu.be/NesxjEGX58s -[start-game]: https://copi.owasp.org/games/new +[threat-dragon]: https://www.threatdragon.com \ No newline at end of file From 57c0b3a7ed3b060fbdfb0121feae5cd23f602236 Mon Sep 17 00:00:00 2001 From: Johan Sydseter Date: Sat, 23 May 2026 13:57:24 +0200 Subject: [PATCH 2/6] Fix linting --- .../01-threat-modeling/04-cornucopia.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/docs/en/04-design/01-threat-modeling/04-cornucopia.md b/docs/en/04-design/01-threat-modeling/04-cornucopia.md index 8e4be443..301064ed 100644 --- a/docs/en/04-design/01-threat-modeling/04-cornucopia.md +++ b/docs/en/04-design/01-threat-modeling/04-cornucopia.md @@ -13,13 +13,13 @@ The game engine has also a broad selection of other EoP related games. #### Why use it? -The [OWASP Cornucopia][cornucopia] card game is designed to help developers think about possible threats in a solution -design, and derive a set of security requirements to build against. Team members are each dealt cards that describe -particular threats. They then take turns trying to make a case for their particular threat, posing a risk to the solution +The [OWASP Cornucopia][cornucopia] card game is designed to help developers think about possible threats in a solution +design, and derive a set of security requirements to build against. Team members are each dealt cards that describe +particular threats. They then take turns trying to make a case for their particular threat, posing a risk to the solution design, scoring points if they are able to do so. -OWASP Cornucopia uses threats grouped into areas that are particularly relevant to software developers, such as AI, authentication, authorisation, -cloud, data validation & encoding, DevOps, and frontend (client-side development). +OWASP Cornucopia uses threats grouped into areas that are particularly relevant to software developers, such as AI, +authentication, authorisation, cloud, data validation & encoding, DevOps, and frontend (client-side development). The threats are derived from various standards, OWASP Top 10 lists, guides, and other lists. For a full list and to find out how you can acquire and play their list of games, see their website at @@ -35,12 +35,13 @@ The outcome of the game is to identify possible threats and propose remediations Cornucopia can be played in many different ways, there is no one way, and there is a suggested [set of rules][cornucopia-play] to start the game off. -[OWASP Threat Dragon][threat-dragon] also has a diagram called "EoP Games" that allowes the players to link the card that +[OWASP Threat Dragon][threat-dragon] also has a diagram called "EoP Games" that allowes the players to link the card that scores directly to a threat model to simplify security requirement analysis. The OWASP Spotlight series provides an excellent overview of Cornucopia and how it can be used for gamification: 'Project 16 - [Cornucopia][spotlight16]'. [Videos on the OWASP Cornucopia website][cornucopia-play] also demonstrate several -ways the game can be utilized. There is also a [OWASP 25th Anniversary Video][owasp25th] that gives a short presentation on the games and how to use it. +ways the game can be utilized. There is also a [OWASP 25th Anniversary Video][owasp25th] that gives a short presentation on +the games and how to use it. #### References @@ -56,11 +57,10 @@ then [submit an issue][issue060104] or [edit on GitHub][edit060104]. [cornucopia-cards]: https://cornucopia.owasp.org/printing#Current-printable-version [cornucopia-play]: https://cornucopia.owasp.org/how-to-play [copi]: https://copi.owasp.org -[devguide]: https://devguide.owasp.org/en/04-design/02-web-app-checklist/ [edit060104]: https://github.com/OWASP/DevGuide/blob/main/docs/en/04-design/01-threat-modeling/04-cornucopia.md [issue060104]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2004-design/01-threat-modeling/04-cornucopia [mapping]: https://cornucopia.owasp.org/about#Mappings [online]: https://cornucopia.owasp.org/webshop [owasp25th]: https://www.youtube.com/watch?v=KmjUM0EF_24 [spotlight16]: https://youtu.be/NesxjEGX58s -[threat-dragon]: https://www.threatdragon.com \ No newline at end of file +[threat-dragon]: https://www.threatdragon.com From 69eafc8a917337b89e033ac98a4fb0098bb04f20 Mon Sep 17 00:00:00 2001 From: Johan Sydseter Date: Sat, 23 May 2026 14:00:57 +0200 Subject: [PATCH 3/6] Add words to wordlist --- .wordlist-en.txt | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.wordlist-en.txt b/.wordlist-en.txt index 9593e700..5ccee93e 100644 --- a/.wordlist-en.txt +++ b/.wordlist-en.txt @@ -1,6 +1,7 @@ ACM AEAD AES +allowes APIT APIs APISIX @@ -20,6 +21,7 @@ AppSec AppSensor Arithmatex Atlassian +authorisation BOLA BOM BOMs @@ -93,6 +95,7 @@ ECB ECMA EE ENISA +EoP ESAPI Ebihara Ecommerce @@ -300,6 +303,7 @@ SuperFences Sydseter Symfony TCP +th TLS TMBOM TOCTOU From 09361fdc46ea5a413f9343fbc992f037f3364e86 Mon Sep 17 00:00:00 2001 From: Uncle Joe <1244005+sydseter@users.noreply.github.com> Date: Sat, 23 May 2026 14:27:30 +0200 Subject: [PATCH 4/6] Update 04-cornucopia.md --- .../01-threat-modeling/04-cornucopia.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/en/04-design/01-threat-modeling/04-cornucopia.md b/docs/en/04-design/01-threat-modeling/04-cornucopia.md index 301064ed..3cac13fc 100644 --- a/docs/en/04-design/01-threat-modeling/04-cornucopia.md +++ b/docs/en/04-design/01-threat-modeling/04-cornucopia.md @@ -2,14 +2,14 @@ #### What is Cornucopia? -OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security +OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams in identifying security requirements in Agile, conventional and formal development processes. It is language, platform and technology-agnostic. -The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, to identify application +The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, identify application security requirements and develop security-based user stories. [Cornucopia][cornucopia] is an OWASP production project. The cards can be [downloaded][cornucopia-cards] and printed or [bought online][online] from its website. It is also possible to play OWASP Cornucopia online using the cornucopia game engine called [Copi][copi]. -The game engine has also a broad selection of other EoP related games. +The game engine also has a broad selection of other EoP-related games. #### Why use it? @@ -27,21 +27,21 @@ play their list of games, see their website at Cornucopia is useful for both requirements analysis and threat modeling, providing gamification of these activities within the development lifecycle. -It is targeted towards agile development teams and provides a different perspective to these tasks. +It is targeted towards agile development teams and provides a different perspective on these tasks. The outcome of the game is to identify possible threats and propose remediations. #### How to use Cornucopia -Cornucopia can be played in many different ways, there is no one way, +Cornucopia can be played in many different ways; there is no one way, and there is a suggested [set of rules][cornucopia-play] to start the game off. -[OWASP Threat Dragon][threat-dragon] also has a diagram called "EoP Games" that allowes the players to link the card that +[OWASP Threat Dragon][threat-dragon] also has a diagram called "EoP Games" that allows the players to link the card that scores directly to a threat model to simplify security requirement analysis. The OWASP Spotlight series provides an excellent overview of Cornucopia and how it can be used for gamification: 'Project 16 - [Cornucopia][spotlight16]'. [Videos on the OWASP Cornucopia website][cornucopia-play] also demonstrate several -ways the game can be utilized. There is also a [OWASP 25th Anniversary Video][owasp25th] that gives a short presentation on -the games and how to use it. +ways the game can be utilised. There is also a [OWASP 25th Anniversary Video][owasp25th] that gives a short presentation on +the games and how to use them. #### References From 56873cf1a6199edf9919f23c3b46a6833f783b59 Mon Sep 17 00:00:00 2001 From: Uncle Joe <1244005+sydseter@users.noreply.github.com> Date: Sat, 23 May 2026 14:27:59 +0200 Subject: [PATCH 5/6] Update .wordlist-en.txt --- .wordlist-en.txt | 1 - 1 file changed, 1 deletion(-) diff --git a/.wordlist-en.txt b/.wordlist-en.txt index 5ccee93e..c06cc9d5 100644 --- a/.wordlist-en.txt +++ b/.wordlist-en.txt @@ -1,7 +1,6 @@ ACM AEAD AES -allowes APIT APIs APISIX From 2c42db975343f0d3a678ee9f8b42a973013e4dfd Mon Sep 17 00:00:00 2001 From: Uncle Joe <1244005+sydseter@users.noreply.github.com> Date: Sat, 23 May 2026 14:29:27 +0200 Subject: [PATCH 6/6] Update 04-cornucopia.md --- docs/en/04-design/01-threat-modeling/04-cornucopia.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/04-design/01-threat-modeling/04-cornucopia.md b/docs/en/04-design/01-threat-modeling/04-cornucopia.md index 3cac13fc..89280982 100644 --- a/docs/en/04-design/01-threat-modeling/04-cornucopia.md +++ b/docs/en/04-design/01-threat-modeling/04-cornucopia.md @@ -40,7 +40,7 @@ scores directly to a threat model to simplify security requirement analysis. The OWASP Spotlight series provides an excellent overview of Cornucopia and how it can be used for gamification: 'Project 16 - [Cornucopia][spotlight16]'. [Videos on the OWASP Cornucopia website][cornucopia-play] also demonstrate several -ways the game can be utilised. There is also a [OWASP 25th Anniversary Video][owasp25th] that gives a short presentation on +ways the game can be utilized. There is also a [OWASP 25th Anniversary Video][owasp25th] that gives a short presentation on the games and how to use them. #### References