The Owasp Cornucopia card game serves as an engaging tool for development teams to identify potential threats. In a previous post, I outlined the optimal integration of Threat Modeling within the Scrum process using the Owasp Cornucopia game. This post delves into three practical scenarios for converting Cornucopia cards into actionable Product Backlog Items (PBIs).
The Owasp Cornucopia card game offers a developer-focused, lightweight approach to threat modeling, minimizing the complexity often associated with security engineering. Here, I aim to demonstrate 3 straightforward methods for creating effective threat models from each Cornucopia card.
Assuming your team has previously played the Cornucopia game, you should have a list of identified cards, each potentially annotated with reasons for their relevance to your project. The task now is to translate these cards into PBIs within your product backlog.
Imagine your team has used three Cornucopia suits: Authentication, Authorization, and Data Validation & Encoding to identify threats pertinent to your project:
The next steps involve creating PBIs from these identified cards.
Cornucopia inherently recommends sorting the cards by their value, providing a preliminary order. However, this prioritization can be adjusted based on specific project needs and insights.
Lets use following three cards for detailed examination:
While the development-team assumes that they implement server-side controls, they acknowledged that there is no logging in place that logs changes to the allocation of roles to the users. You wrote this on the scorecard for Authentication-K:
You simply create the Product Backlog Item: "Add logging to all changes of user-information in the application".
Without specific notes for this card, you rely solely on its identified relevance. The steps are as follows:
This review highlights the absence of a unified approach to sanitizing input data, prompting the creation of a PBI: "Establish a centralized mechanism for sanitizing all system input data."
!! Consult the OWASP Cheat Sheet Series Index !!
The Cheat Sheet Series offers invaluable insights into securing software development. It's recommended that the Technical Lead reviews the cheat sheets related to identified cards to uncover potential security gaps, benefiting from language-specific secure coding examples.
The ease of enumerating user accounts, due to predictable email address patterns, is noted. Despite the inability to alter company email policies, it's decided to acknowledge this threat and seek IT guidance on mitigation strategies. This scenario does not result in a new PBI.
Security threats should be treated as any other backlog item, with the Technical Lead and Product Owner collaboratively prioritizing the PBIs.
The OWASP ASVS offers detailed insights into each card's security aspects, facilitating a thorough threat analysis and the identification of necessary security features for implementation.
The Owasp Cornucopia game, through its practical approach and linkage to other OWASP resources, not only aids teams in identifying threats but also in swiftly defining PBIs to enhance application security. Utilizing Cornucopia alongside OWASP ASVS can significantly improve security measures, even for software developers with limited Threat Modeling expertise.
Good Luck!
Ive
Feel free to use the comment section below for feedback or questions.
Loading comments 0%