Recently I was introduced to the game OWASP Cornucopia, a threat modeling game card game that encourages collaborative discussions about security. The game is based on 6 categories and each category is a suit:

  • Authentication
  • Authorization
  • Data Validation & Encoding
  • Session Management
  • Cryptography
  • Cornucopia

Each category has 13 cards, 2-10, Jack, Queen, King, Ace, and Ace is high. The higher your card is, the more difficult the scenario is.

“The attacks were primarily drawn from the security requirements listed in the OWASP Security Controls and Principles (SCP) v2, but were supplemented with verification objectives from the OWASP Application Security Verification Standard (ASVS).”

As I first played the game and spoke through the scenarios, I found that it really exposed my weak spots. Speaking about these scenarios off the cuff and convincing others not only what can go wrong but how it can be fixed is a lot more difficult than it sounds.

To build a stronger foundation I decided to go through each card in each suit. I plan to write a blog series (suit by suit) explaining the security issues that each card has and my recommendations for fixing them.

If you’re interested in learning more about the game, you can read about it here: https://owasp.org/www-project-cornucopia/