Feb 16, 2017

Building Secure Software With a Card Game

If you are like me you like designing and building robust and secure software. Security analysis is hard and can be tedious but doesn't have to be.
What about if it was a game?

OWASP Cornucopia is a card game based on the structure of the OWASP Secure Coding Practices to help development teams, especially those using Agile methodologies, to identify application security requirements and develop security-based user stories.
The idea isn't new. The Microsoft SDL team had already published its Elevation of Privilege (EoP) card game but the Cornucopia specifically addresses those kind of issues that web application development teams mostly have to address.

Cornucopia is based on the concepts and game ideas in EoP, but those have been modified to be more rilevant to the types of issues ecommerce website developers encounter. If you are not familiar with STRIDE and DREAD (but even if you are), give this deck of cards a chance.

The deck has five suits

  • Data Validation and encoding (VE)
  • Authentication (AT)
  • Session Management (SM)
  • Authorization (AZ)
  • Cryptography (CR)
  • Cornucopia (C)

The suit Cornucopia is for anything else

Each card describes an attack, the attacker is given a name. You can play the game in many different ways, for examples check the official OWASP Cornucopia Wiki

Huge thanks to Blackfoot for sending me this deck. emoji-raised_hands

Keep Learning.
Until next time emoji-sunglasses