Skip to content

#158 Correcting page about OWASP Cornucopia #159

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Sep 23, 2025
Merged

#158 Correcting page about OWASP Cornucopia #159

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
efd9fbc
#158 Correcting page about OWASP Cornucopia
sydseter Sep 22, 2025
3cc287f
Merge branch 'main' into cornucopia
sydseter Sep 22, 2025
fb2c25b
#158 Correct linting
sydseter Sep 22, 2025
bb93aaa
Merge branch 'cornucopia' of https://github.com/OWASP/DevGuide into c…
sydseter Sep 22, 2025
d16fefa
#158 Correct linting and add words to wordlist
sydseter Sep 22, 2025
61518a2
#158 Correct url
sydseter Sep 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .wordlist-en.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@ Cheatsheets
ClickJacking
Clickjacking
CodeQL
Copi
Coraza
Crackmes
Cryptographic
Expand Down Expand Up @@ -175,6 +176,7 @@ MagicLink
Matteo
Microservices
Misconfiguration
MLSec
ModSecurity
Multifactor
NIST
Expand Down Expand Up @@ -419,6 +421,7 @@ edumco
encodings
endif
enum
eop
esapi
executables
exfiltrate
Expand Down Expand Up @@ -470,6 +473,7 @@ lychee
mastg
maswe
misconfiguration
mlsec
mitigations
modsecurity
modularized
Expand Down
49 changes: 32 additions & 17 deletions docs/en/04-design/01-threat-modeling/04-cornucopia.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,19 +1,30 @@
![Cornucopia logo](../../../assets/images/logos/cornucopia.png "OWASP Cornucopia"){ align=right width=180 }

OWASP Cornucopia is a card game used to help derive application security requirements
during the software development life cycle.
[Cornucopia][cornucopia] is an OWASP Lab project, and can be [downloaded][cornucopia-cards] from its project page.
OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security
requirements in Agile, conventional and formal development processes. It is language, platform and technology-agnostic.
The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, to identify application
security requirements and develop security-based user stories.
[Cornucopia][cornucopia] is an OWASP production project. The cards can be [downloaded][cornucopia-cards] and printed or
[bought online][online] from its website.
It is also possible to play OWASP Cornucopia online using the cornucopia game engine called [Copi][copi]. Using the
[online game engine][copi], it is possible to play:

* [OWASP Cornucopia Website App][start-game] to gamify threat modeling and requirement analysis for website apps
* [OWASP Cornucopia Mobile App][start-game] to gamify threat modeling and requirement analysis for mobile apps
* [Elevation of Privilege][eop] to do general threat modeling
* [Elevation of MLSec][mlsec] for threat modeling applications that uses machine learning or Gen AI
* [OWASP Cumulus][cumulus] for threat model cloud infrastructure

#### What is Cornucopia?

Cornucopia provides a [set of cards][cornucopia-cards] designed to gamify threat modeling activities,
Cornucopia provides a [set of cards][cornucopia-browser] designed to gamify threat modeling activities,
helping agile development teams to identify weaknesses in applications and then record remediations or requirements.

There are three versions of the Cornucopia deck of threat modeling cards:

* Website App Edition
* Mobile App Edition
* Enterprise App Edition
* Enterprise App Edition (legacy)

The decks come with several suits according to the application, and always contain an overall 'Cornucopia' suit.

Expand All @@ -36,13 +47,11 @@ Vulnerabilities are arranged in domains as five suits with the additional Cornuc
To provide context the Cornucopia Website App cards reference other projects:

* OWASP Application Security Verification Standard ([ASVS][asvs])
* OWASP Secure Coding Practices ([SCP][scp-v21]]) quick reference guide
* OWASP [AppSensor][appsensor]
* OWASP Developer Guide ([Web Application Checklist][devguide])
* STRIDE
* MITRE's Common Attack Pattern Enumeration and Classification ([CAPEC][capec])
* [SAFEcode][safecode]

The SCP quick reference guide has now been incorporated as part of this [Developer Guide](../02-web-app-checklist/index.md).

#### Mobile App Edition

Similarly to the website application deck, the mobile application deck has five domains/suits,
Expand Down Expand Up @@ -79,7 +88,8 @@ The outcome of the game is to identify possible threats and propose remediations
#### How to use Cornucopia

The OWASP Spotlight series provides an excellent overview of Cornucopia and how it can be used for gamification:
'Project 16 - [Cornucopia][spotlight16]'.
'Project 16 - [Cornucopia][spotlight16]'. [Videos on the OWASP Cornucopia website][cornucopia-play] also demonstrate several
ways the game can be utilized.

Ideally Cornucopia is played in person using physical cards,
with the development team and security architects in the same room.
Expand All @@ -103,32 +113,37 @@ as well as having a good time.

#### References

* [AppSensor][appsensor]
* Application Security Verification Standard, [ASVS][asvs]
* Common Attack Pattern Enumeration and Classification, [CAPEC][capec]
* [Cornucopia][cornucopia]
* Mobile Application Security Verification Standard, [MASVS][masvs])
* Mobile Application Security Testing Guide, [MASTG][mastg])
* [Secure Coding Practices][scp-v21] quick reference guide
* [SAFEcode][safecode]
* [Spotlight][spotlight16] on Cornucopia
* OWASP Developer Guide ([Web Application Checklist][devguide])

----

The OWASP Developer Guide is a community effort; if there is something that needs changing
then [submit an issue][issue060104] or [edit on GitHub][edit060104].

[appsensor]: https://owasp.org/www-project-appsensor/
[asvs]: https://owasp.org/www-project-application-security-verification-standard/
[capec]: https://capec.mitre.org/
[cornucopia]: https://owasp.org/www-project-cornucopia/
[cornucopia-cards]: https://owasp.org/www-project-cornucopia#div-cards
[cornucopia]: https://cornucopia.owasp.org
[cornucopia-browser]: https://cornucopia.owasp.org/cards
[cornucopia-cards]: https://cornucopia.owasp.org/printing#Current-printable-version
[cornucopia-score]: https://owasp.org/www-project-cornucopia/assets/files/Cornucopia-scoresheet.pdf
[cornucopia-play]: https://owasp.org/www-project-cornucopia#div-play
[cornucopia-play]: https://cornucopia.owasp.org/how-to-play
[copi]: https://copi.owasp.org
[cumulus]: https://github.com/OWASP/cumulus
[eop]: https://github.com/adamshostack/eop
[edit060104]: https://github.com/OWASP/DevGuide/blob/main/docs/en/04-design/01-threat-modeling/04-cornucopia.md
[issue060104]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2004-design/01-threat-modeling/04-cornucopia
[mastg]: https://mas.owasp.org/MASTG/
[masvs]: https://mas.owasp.org/MASVS/
[mlsec]: https://github.com/kantega/elevation-of-mlsec
[online]: https://cornucopia.owasp.org/webshop
[safecode]: https://safecode.org/
[scp-v21]: https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/assets/docs/OWASP_SCP_Quick_Reference_Guide_v21.pdf
[devguide]: https://devguide.owasp.org/en/04-design/02-web-app-checklist
[spotlight16]: https://youtu.be/NesxjEGX58s
[start-game]: https://copi.owasp.org/games/new