Beyond DevSecOps: Implement OWASP Top 10 by playing Cornucopia

In the pursuit of secure software development, the adoption of DevSecOps has been a significant milestone. However, there is a lot more to Application Security than DevSecOps. Let's look beyond DevSecOps and explore how OWASP resources, especially the OWASP Top 10 and OWASP Cornucopia, can improve the quality of your applications.

DevSecOps: A Solid Start, Not the Finish of Application Security

DevSecOps lays down the groundwork by automating security checks, but this is just the foundation. True AppSec requires us to look at the bigger picture—identifying security needs that are not just technical but also architectural and strategic. OWASP provides excellent guidance for you and your team to move beyond DevSecOps.

OWASP TOP 10 as guiding principle for your manual security efforts

While DevSecOps tools can flag common vulnerabilities like SQL injection or XSS, they might miss out on complex issues such as logic flaws or architectural weaknesses. To make sure you focus on the right priorities in developing more secure software, OWASP TOP 10 provides great guidance and helps you prioritize your efforts. However, thorough understanding of OWASP TOP 10 requires in-depth knowledge about security. If you are new to this, it can be daunting to figure out how to correctly improve the security of your applications.

Luckily, there is much more to OWASP than the TOP 10. If you're new to AppSec and OWASP, we advise to start with playing OWASP Cornucopia.

Integrate OWASP Cornucopia into Your Scrum Process

Incorporating the OWASP Cornucopia cardgame into your Scrum process can help bridge the gap left by DevSecOps. Playing Cornucopia is about learning about Security Best Practices together. And avoiding common pitfalls in the development of secure applications.

OWASP ASVS: dive deeper into the AppSec world

OWASP Cornucopia provides a useful mapping to the ASVS 4.0 standard. We definitely recommend checking out ASVS 4.0 while playing Cornucopia. If you want to implement a rigourous security standard, ASVS is definitely a great place to look. It provides detailed guidance about how to build secure applications. Its granular approach whereby you can aim for a level suited to your needs (low risk applications suffice with Level 1, but your team can opt to go for Level 2) allow your team to take a gradual approach to improve your applications.


While DevSecOps is a step forward, the full embrace of AppSec is a multi-dimensional journey. OWASP tools, particularly Playing OWASP Cornucopia and combining it with the Top 10 for awareness and the Application Security Verification Standard (ASVS) for benchmarks and a more in-depth security implementation, provide a comprehensive path to secure software development.

In essence, DevSecOps is the automation of security within your workflow, but integrating OWASP’s tools brings a robust depth to your security approach. It’s not just about tools—it's about nurturing a culture where security is ingrained in thought and action.

Embrace security as a continuous journey. Integrate OWASP Cornucopia and ASVS into your Scrum process and witness your team's growth towards a more secure horizon.

Good luck!


Feel free to use the comment section below for feedback or questions.

Loading comments 0%

View this post on Github

Provided by dotNET lab

This website is created, hosted and provided by dotNET lab. dotNET lab provides training and guidance on secure software development. Contact us to get in touch!

OWASP Cornucopia

OWASP Cornucopia is originally created by Colin Watson. It is open source and can be downloaded free of charge from the OWASP website. It is is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one. OWASP does not endorse or recommend commercial products or services. OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license and is © 2012-2016 OWASP Foundation.