OWASP Cornucopia

=Main=



{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 * valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

OWASP Cornucopia
OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes.

Introduction
The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, to identify application security requirements and develop security-based user stories. Although the idea had been waiting for enough time to progress it, the final motivation came when SAFECode published its Practical Security Stories and Security Tasks for Agile Development Environments in July 2012.

The Microsoft SDL team had already published its super Elevation of Privilege: The Threat Modeling Game (EoP) but that did not seem to address the most appropriate kind of issues that web application development teams mostly have to address. EoP is a great concept and game strategy, and was published under a Creative Commons Attribution License. Cornucopia is based the concepts and game ideas in EoP, but those have been modified to be more relevant to the types of issues ecommerce website developers encounter. It attempts to introduce threat-modelling ideas into development teams that use Agile methodologies, or are more focused on web application weaknesses than other types of software vulnerabilities or are not familiar with STRIDE and DREAD.

The Card Decks
Ecommerce Website Edition

Instead of EoP’s STRIDE suits, Cornucopia suits were selected based on the structure of the OWASP Secure Coding Practices - Quick Reference Guide (SCP), but with additional consideration of sections in the OWASP Application Security Verification Standard, the OWASP Testing Guide and David Rook’s Principles of Secure Development. These provided five suits, and a sixth called “Cornucopia” was created for everything else:


 * Data validation and encoding
 * Authentication
 * Session management
 * Authorization
 * Cryptography
 * Cornucopia

Each suit contains 13 cards (Ace, 2-10, Jack, Queen and King) but, unlike EoP, there are also two Joker cards. The content was mainly drawn from the SCP.

Other Decks

Future editions such as for mobile app development will use different sources of information and suits.

Mappings
The other driver for Cornucopia is to link the attacks with requirements and verification techniques. An initial aim had been to reference CWE weakness IDs, but these proved too numerous, and instead it was decided to map each card to software attack pattern IDs which themselves are mapped to CWEs, so the desired result is achieved.

Each card is also mapped to the 36 primary security stories in the SAFECode document, as well as to the OWASP SCP v2, ASVS 2009 and AppSensor (application attack detection and response) to help teams create their own security-related stories for use in Agile processes.

Licensing
OWASP Corncucopia is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.


 * valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

What is Cornucopia?
OWASP Cornucopia is a card game used to help derive application security requirements during the software development life cycle. To start using Cornucopia:


 * Download the document
 * Print the cards onto plain paper or pre-scored card
 * Cut/separate the individual cards
 * Identify an application, module or component to assess
 * Invite business owners, architects, developers, testers along for a card game
 * Get those infosec folk to provide chocolate, pizza, beer or all three as prizes
 * Select a portion of the pack to start with
 * Play the game to discuss &amp; document security requirements (and to win rounds)
 * Remember, points make prizes!

Presentation


The game rules are in the document download. But the project presentation above includes an animated version of four demonstration rounds.

Project Leader
Colin Watson


 * valign="top" style="padding-left:25px;width:200px;" |

Quick Download

 * OWASP Cornucopia Ecommerce Website Edition

Reference Files

 * OWASP SCP requirements
 * OWASP ASVS verification IDs
 * OWASP AppSensor attack detection point IDs
 * CAPEC IDs
 * SAFECode security-focused stories IDs

The OWASP SCP does not include identities, so please use.

News

 * [10 May 2013] Project pages created
 * [13 Mar 2013] Project presentation at OWASP NL



OWASP Cornucopia Ecommerce Website Edition is referenced in the new Payment Card Industry Security Standards Council information supplement PCI DSS E-commerce Guidelines v2, January 2013


 * }

= Ecommerce Website Edition =

= How to Play =

=FAQs=
 * Can I copy or edit the game?
 * Yes of course. All OWASP materials are free to do with as you like provided you comply with the Creative Commons Attribution-ShareAlike 3.0 license. Perhaps if you create a new version, you might donate it to the OWASP Cornucopia Project?


 * How can I get involved?
 * Please send ideas or offers of help to the project’s mailing list.


 * How were the attackers’ names chosen?
 * EoP begins every description with words like "An attacker can...". These have to be phrased as an attack but I was not keen on the anonymous terminology, wanting something more engaging, and therefore used personal names. These can be thought of as external or internal people or aliases for computer systems. But instead of just random names, I thought how they might reflect the OWASP community aspect. Therefore, apart from "Alice and Bob", I use the given (first) names of current and recent OWASP employees and Board members (assigned in no order), and then randomly selected the remaining 50 or so names from the current list of paying individual OWASP members. No name was used more than once, and where people had provided two personal names, I dropped one part to try to ensure no-one can be easily identified. Names were not deliberately allocated to any particular attack, defence or requirement. The cultural and gender mix simply reflects theses sources of names, and is not meant to be world-representative.


 * Why aren’t there any images on the card faces?
 * There is quite a lot of text on the cards, and the cross-referencing takes up space too. But it would be great to have additional design elements included. Any volunteers?

= Acknowledgements =

Volunteers
Cornucopia is developed by a worldwide team of volunteers.

Sponsors
But we have also been helped by many organizations, either financially or by encouraging their employees to work on Cornucopia:
 * OWASP Federation
 * Watson Hall Ltd

Others

 * Microsoft SDL Team for the Elevation of Privilege Threat Modelling Game, published under a Creative Commons Attribution license, as the inspiration for Cornucopia and from which many ideas, especially the game theory, were copied.
 * Keith Turpin and contributors to the “OWASP Secure Coding Practices - Quick Reference Guide”, originally donated to OWASP by Boeing, which is used as the primary source of security requirements information to formulate the content of the cards.
 * Contributors, supporters, sponsors and volunteers to the OWASP ASVS, AppSensor and Web Framework Security Matrix projects, Mitre’s Common Attack Pattern Enumeration and Classification (CAPEC), and SAFECode’s “Practical Security Stories and Security Tasks for Agile Development Environments” which are all used in the cross-references provided.
 * Playgen for providing an illuminating afternoon seminar on task gamification, and tartanmaker.com for the online tool to help create the card back pattern.

= Road Map = As of May 2013, the priorities are:
 * Create and publish the Secure Coding Practices Quick Reference Guide identities used in the cross-referencing [Completed 10 May 2013]
 * Build these project wiki pages out
 * Source funding fro graphical design
 * Promote use of Cornucopia

= Getting Involved = Involvement in the development and promotion of Cornucopia is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help:

Localization
Are you fluent in another language? Can you help translate Cornucopia into that language?

Design
Do you have a flair for innovative design and have the skills to create print-ready materials? We desperately need the cards to be worked up into a more attractive format. Let us know if you can offer your help.

Use and Promote the Cornucopia Card Decks
Please help raise awareness of Cornucopia by printing cards:
 * Use Cornucopia with specifiers, architects, designers, developers, testers and others, in part to train them, but also to solicit feedback on their usability, practicality and appropriateness for their work
 * Create video about how to play the game

Feedback
Please use the friendly project mailing list for feedback:
 * What do like?
 * What don't you like?
 * What cards don't make sense?
 * How could the guidance be improved?
 * What other decks would you like to see?

Keep the Cards Updated
As the source referenced documents change, we have to update the decks. You may also find errors and omissions. In the first instance, please send a message to the friendly project mailing list if you have identified errors &amp; omissions, have some time to maintain the source documents, or can help in other ways.

Create a New Deck
The only version currently available is the Cornucopia Ecommerce Website Edition in English. We would like to create a new mobile app specific deck, probably using the wonderful OWASP Mobile Security Project as inspiration for the card source materials. Do you have an idea for your own application security requirements card deck? Perhaps for or something else?

=Project About=