OWASP Cyber security threat modeling game

Identify threats

Owasp Cornucopia is a card game, meant to be played in an agile development context. It allows developers to identify and discuss security requirements for their software applications. It is an easy way to introduce the practice of threat modeling in a software development team. Playing the card game encourages developers to actively think about the kind of threats that can emerge when creating software. This empowers teams to independently secure their applications while building them. Doing so embraces the shift-left strategy, where security becomes an integrated part of the development cycle.

Learn how to play
         !...:!TVBBBRPFT||||||||||!!^^""'   ||||
         !.......:!?|||||!!^^""'            ||||
         !.........||||                     ||||
         !.........||||  ##                 ||||
         !.........||||                     ||||
         !.........||||                     ||||
         !.........||||                     ||||
         !.........||||                     ||||
         `.........||||                    ,||||
          .;.......||||               _.-!!|||||
   .,uodWBBBBb.....||||       _.-!!|||||||||!:'
!..YBBBBBBBBBBBBBBb!!||||||||!iof68BBBBBBRPFT?!::   `.
!....YBBBBBBBBBBBBBBbaaitf68BBBBBBRPFT?!:::::::::     `.
!......YBBBBBBBBBBBBBBBBBBBRPFT?!::::::;:!^"`;:::       `.
!........YBBBBBBBBBBRPFT?!::::::::::^''...::::::;         iBBbo.
`..........YBRPFT?!::::::::::::::::::::::::;iof68bo.      WBBBBbo.
  `..........:::::::::::::::::::::::;iof688888888888b.     `YBBBP^'
    `........::::::::::::::::;iof688888888888888888888b.     `
            `' !!988888888888888888888888899fT|!^"'
                   MMMMMMMM'  `"MMMMM"""""""MMMM""`  'MMMMMMMM                  
                  MMMMMMMMM                           MMMMMMMMM                 
                 MMMMMMMMMM:                         :MMMMMMMMMM                
                .MMMMMMMMMM                           MMMMMMMMMM.               
                MMMMMMMMM"                             "MMMMMMMMM               
                MMMMMMMMM                               MMMMMMMMM               
                MMMMMMMMM                               MMMMMMMMM               
                MMMMMMMMMM                             MMMMMMMMMM               
                `MMMMMMMMMM                           MMMMMMMMMM`               
                 MMMMMMMMMMMM.                     .MMMMMMMMMMMM                
                 MMMMMM  MMMMMMMMMM         MMMMMMMMMMMMMMMMMM                 
                   MMMMMM  'MMMMMMM           MMMMMMMMMMMMMMMM                  
                    `MMMMMM  "MMMMM           MMMMMMMMMMMMMM`                   
                      `MMMMMm                 MMMMMMMMMMMM`                     
                        `"MMMMMMMMM           MMMMMMMMM"`                       
                           `"MMMMMM           MMMMMM"`                          
                               `""M           M""`                              

Open source

One of the main advantages of the OWASP Cornucopia card game being open source is that it allows anyone to access and use the game without any licensing fees or restrictions. This encourages widespread adoption and makes it easier for teams to integrate the game into their security practices. Additionally, being open source means that the game is transparent and customizable. Teams can modify the game to suit their specific needs and address the security threats that are most relevant to their applications. They can also contribute back to the game's development by submitting new cards or improvements. Furthermore, open source software tends to have a large and active community of developers who contribute to the codebase and offer support. This can lead to faster bug fixes and updates, ensuring that the game remains relevant and effective in identifying security threats.

View source on Github


The OWASP Cornucopia card game can be effectively integrated into an Agile development process. In Agile, the focus is on delivering working software quickly and continuously improving it based on feedback. The Cornucopia game can be used to identify potential security threats early in the development process, allowing teams to address them before they become major issues. The game can be played during planning sessions, where teams can discuss the security risks associated with each feature and prioritize them accordingly. It can also be used during testing to ensure that all identified risks have been addressed before releasing the software. The game can be played by cross-functional teams, including developers, testers, and security experts, to promote collaboration and shared responsibility for security. The game's flexible and customizable nature also allows teams to tailor it to their specific Agile process and development methodologies. By integrating the Cornucopia game into Agile development, teams can ensure that security is a key consideration throughout the entire software development lifecycle.

               ;YVXXt=:               .;tYXXX+                
            .tVXVt;                       .iXXVI:             
           tRXX;                        .;;  ;YVVY:           
         ;RXV;                            +RR+..YVRt          
       .XXR;                           :;.  ;BBY.:VXR;        
      ;RYX                              :XBY; tBBi tVR+       
     ;RV+                             :;  :RMB+;BMB.;RXt      
    ;RR;                               ;RR+.tBMBiBMB::RXt     
   :RV;                             .+;. iBBY;BMMBMMB.:RXi    
   RYt                                =BBi:BMBXBMMMBY. ;RR;   
  YtV                               +Y+:tMBIBMMBMR=     iIR   
 :RR.                        .::.    .tBXtMMBMBY:        RIi  
 XIt                     ;IRBRXVRBY;   ;BBBMR=           ;VR  
.RR                    ;RBt:     .+RB;  :BI:              VY; 
+tX                   iBt           =BX                   itY 
Yt=                  ;Bi             :Bt                  :XR 
RX:                  RX               =B:                  RX.
RR                  :B:                Ri                  YX:
RR                  ;B                 YY                  YY;
RR                  :B;                Ri                  YX:
RX:                  RX               +B:                  RX.
YI;                  +Ri             :Bt                  :XR 
+tX              .i:  iBI           iBX                   itY 
.RR            ;VBBB.  ;RBt:     :+RR+                    VY; 
 XIt        .tBMMMRBB;   ;tRBVXVBRY;                     ;VR  
 :RR.     ;RBMMBVBB;;RR;     .::.                        RIi  
  IIR  .tBMMMBMMB;RMX:                                  tIR   
   RII BMMBMMBiBMB;:+Vi:                               ;RR:   
   :RV;:BMBXBMB;;VBY.                                 :RX+    
    ;RV+:BMB;RBMY  ;t;                               ;RXt     
     ;RXt.RMB;:tBB=                                 ;RVi      
      :RYR.;BBY. :+t;                              IXR;       
        XXR+ ;RBY:                               ;RYR:        
         ;RYR; .;Yi:                           :XXVt          
           +VXV=                             ;YVVt.           
             +VXVI;                       ;tVXVt.             
               ;tVXXYi;.              ;+IXXVY;                

Provided by dotNET lab

This website is created, hosted and provided by dotNET lab. dotNET lab provides training and guidance on secure software development. Contact us to get in touch!

OWASP Cornucopia

OWASP Cornucopia is originally created by Colin Watson. It is open source and can be downloaded free of charge from the OWASP website. It is is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one. OWASP does not endorse or recommend commercial products or services. OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license and is © 2012-2016 OWASP Foundation.