Skip to content

Cornucopia

Cornucopia logo

What is Cornucopia?

OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams in identifying security requirements in Agile, conventional and formal development processes. It is language, platform and technology-agnostic. The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, identify application security requirements and develop security-based user stories. Cornucopia is an OWASP production project. The cards can be downloaded and printed or bought online from its website. It is also possible to play OWASP Cornucopia online using the cornucopia game engine called Copi. The game engine also has a broad selection of other EoP-related games.

Why use it?

The OWASP Cornucopia card game is designed to help developers think about possible threats in a solution design, and derive a set of security requirements to build against. Team members are each dealt cards that describe particular threats. They then take turns trying to make a case for their particular threat, posing a risk to the solution design, scoring points if they are able to do so.

OWASP Cornucopia uses threats grouped into areas that are particularly relevant to software developers, such as AI, authentication, authorisation, cloud, data validation & encoding, DevOps, and frontend (client-side development). The threats are derived from various standards, OWASP Top 10 lists, guides, and other lists. For a full list and to find out how you can acquire and play their list of games, see their website at cornucopia.owasp.org.

Cornucopia is useful for both requirements analysis and threat modeling, providing gamification of these activities within the development lifecycle. It is targeted towards agile development teams and provides a different perspective on these tasks.

The outcome of the game is to identify possible threats and propose remediations.

How to use Cornucopia

Cornucopia can be played in many different ways; there is no one way, and there is a suggested set of rules to start the game off. OWASP Threat Dragon also has a diagram called "EoP Games" that allows the players to link the card that scores directly to a threat model to simplify security requirement analysis.

The OWASP Spotlight series provides an excellent overview of Cornucopia and how it can be used for gamification: 'Project 16 - Cornucopia'. Videos on the OWASP Cornucopia website also demonstrate several ways the game can be utilized. There is also a OWASP 25th Anniversary Video that gives a short presentation on the games and how to use them.

References

The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.