DEV Community: OWASP® Foundation

Introducing a OWASP Game for threat modeling Agentic AI, Cloud, Devops, Frontend, LLM, Automation, and Web

Johan Sydseter — Mon, 11 May 2026 01:27:15 +0000

Shift-left doesn't start with scanning the code for security vulnerabilities; it begins with designing for security.

Too often, the shift-left mantra consists of implementing (AI-powered) code scanning and applying AI-powered security fixes for remediation. Also, don't forget to implement the AI-powered benchmark for AI-powered Security Fixes. Now, to be clear, I am not actually telling you to stop using these tools — if they work for you — instead, we should ask ourselves:

What are we working on?
What can go wrong?
What are we going to do about it?
Did we do a good job?

OWASP Cornucopia v3.0

In order to support that second question in particular, we have released the next version of OWASP Cornucopia v3.0.
If you would like to buy a professional physical copy of v3.0, you can do so at CyberSec Games. We would suggest buying the 25th anniversary edition as it also comes with both the Website App Edition 3.0 and the new OWASP Cornucopia Companion Edition, specifically made to be used together as an expansion. You can also download the design files from the release and take them to your local printer or print them yourself.

OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams in identifying security requirements in Agile, conventional, and formal development processes. It is language, platform, and technology-agnostic.
The formerly titled “Cornucopia — Ecommerce Website Edition” was renamed in v2.0 to “Cornucopia — Website App Edition”. This edition was originally created in August 2012, released as v1.0 in February 2013, and has undergone several minor updates/releases over the following ten to fifteen years. This has been substantially updated in v2.0, in which the most noticeable change was an update of the OWASP ASVS mapping from ASVS v3.0 to v4.0, together with the creation of translations into six languages (EN, ES, FR, NL, NO-NB, and PT-BR) due to the efforts of past and current volunteers.

The new version, available in 11 languages (EN, ES, FR, HI, NL, NO-NB, PT-PT, PT-BR, RU, UK, IT), includes all new cards and text that cover all OWASP ASVS 5.0 requirements and links them to more than 200 unique common attack patterns (CAPEC™). Each of the common attack patterns will have a unique set of ASVS 5.0 requirements, which means that you never need to stop playing the game! You will always be able to return to the same card to discover new threats and security requirements to consider when building your software; that's the Cornucopia way.

We have also created an API where you can find, programmatically, all requirements connected to each card together with a complete mapping between CAPECs and ASVS 5.0 requirements so that you can automate your threat modeling and requirement analysis processes. If you want to know more about the latest additions to the Website App Edition v3.0, read all about it on our blog post "The Cornucopia of Gamified Threat Modeling"

OWASP Cornucopia Companion Edition v1.0

Today, we are publishing a brand new OWASP Cornucopia Edition to complement the existing two editions. The OWASP Cornucopia Companion Edition v1.0 comes with 6 companion suits covering new topics: Agentic AI (AAI), Automated Threats (BOT), Cloud (CLD), Frontend (FRE), Large Language Models (LLM), and DevOps (DVO). A suit in the companion deck may replace (or be used in addition to) suits in the existing Website Edition so that the players can add a specific focus to their threat modeling: For example, say you are building an LLM application and want to perform threat modeling and security requirement analysis specifically for LLM. You would then use the OWASP Cornucopia Website Edition and the LLM companion suit as your elected OWASP Cornucopia focus area. The new version is immediately available online at copi.owasp.org and for sale at CyberSec Games. You can also download the design files from the latest release.

To commemorate the OWASP Foundation's 25th anniversary, we have also designed the case, leaflet, and cards specifically to celebrate the anniversary and OWASP's achievements within the field of application security and software engineering. We will also be attending the OWASP Global AppSec 2026 in Vienna, where we will be demoing the game for anyone who wants to come and play with us.

We feel this is only the start; each year, OWASP Cornucopia resellers distribute 1,000 games to teams worldwide. At copi.owasp.org, more than 500 users conduct threat modeling for mobile applications, agentic AI, automated threats, cloud, identity management, large language models, and SDL processes every month. In the coming time, we at OWASP Cornucopia will work towards promoting threat modeling and games to change the security culture at software companies worldwide.

Why a companion edition?

The time when development teams could focus only on web development is long gone. Modern software development and sprint planning often include implementing integrations towards large language models, AI agents, and DevOps pipelines through full-stack development. In such an environment, security requirements are constantly shifting from sprint to sprint. Therefore, the only possibility is choosing an agile and collaborative approach to threat modeling that supports including a large number of people with various backgrounds, experiences, and knowledge.
The OWASP Cornucopia Companion Edition was created to accommodate this. A big, beautiful Excel document can never replace a collaborative approach to threat modeling that includes the opinions of everyone on the development team. To avoid having the threat modeling and security design processes become an exercise in superficial ISO compliance, you need to empower your development teams to work together to come up with a secure design. Such a process requires ingenuity, to think out of the box, and to make unpopular decisions that may affect the delivery schedule of a development project. Neither an Excel document nor an ISO 27001 policy will ever get a development team to do that.

Failing to regularly assess your security isn't only costly; it can leave you vulnerable to threats. Several companies have implemented OWASP Cornucopia as part of their SDLC and use it for security requirements analysis, threat modeling, and secure design for every sprint and every user story. You should do the same! Don't let your business spiral out of control; consciously assess how you are doing by continuously threat-modeling your applications and infrastructure. To get started scaling your threat modeling efforts, OWASP Cornucopia and its companion edition are the perfect tools.

We want to thank all project leaders and contributors to the OWASP projects who have provided valuable input and guidance on the OWASP Top 10, OWASP AISVS, OWASP MAS, OWASP Cumulus, OWASP Threat Dragon and the OWASP GenAI Security project. It's thanks to these projects, and many more, that we can deliver to you the OWASP gamified approach to threat modeling and requirement analysis.
We also want to thank the people and contributors to Mitre's Common Attack Pattern Enumeration and Classification (CAPEC™) and Atlas, together with CSA Cloud Controls Matrix, which are all used in the cross-references provided.

Walk that walk, talk that talk

With this latest version of OWASP Cornucopia, we are making it more than a game; it has become a fully fledged threat modeling tool. It doesn’t just feed into your threat modeling process; it drives it, and it doesn’t just work; it scales! A long-time project contributor, previously working at Banco de Crédito BCP, used OWASP Cornucopia to train hundreds of people in using OWASP Cornucopia for threat modeling.
Several companies, such as Admincontrol AS, a Euronext subsidiary, are using it as part of their custom development methodology and have made it the primary mechanism for structured threat elicitation.

"Continuous Gamified threat modeling", done the OWASP way, has been tested and proven to work and is generally welcomed by ISO auditors. Not only is it welcomed, but auditors also love to hear about how it can be used to create engagement and change the culture of the companies that make use of it. This, according to Admincontrol, which has been audited 4 times using all 97 controls from ISO 27001/27002 as part of their information security management system. "Continuous Gamified Threat Modeling" is about assisting software development teams in identifying security requirements in Agile, conventional, and formal development processes through continuous gamification and threat modeling for every feature and every release. Don't apologize for designing before coding, it's called thinking!

And the developers? They love it! At the company I work for (Admincontrol), they always send out an anonymous survey to gather team feedback.
The aggregate score for how satisfied respondents have been with all sessions they've held since they started to use OWASP Cornucopia in 2023 is 4.5 out of 5, which is the maximum. When asked how relevant the session was to the participant's job, the average score was 4.7 out of 5.

The point here is not just to do your initial security risk assessment and be done with it, but to continuously look for new threats as you improve your software, in line with the Threat Modeling Manifesto.

"Continuous Threat Modeling", a term described in "Threat Modeling: A Practical Guide for Development Teams", is essential to keep your applications and infrastructure secure as you expand your system with new features and machines and increase the attack surface. Gamification can help you get started doing just that. So why would you want to continuously threat model your infrastructure and applications? Isn't it enough to just do a thorough check-up now and then? Admincontrol thought so as well!

Admincontrol used threat modeling to design its applications. They have large sessions that they run once a year and several smaller sessions for each sprint. They define Jira issues to mitigate these threats and assign them directly to the development team's backlog. Then they have security backlog grooming once a month with the product owners, where they discuss directly with them how they can resolve these issues.
The first graph shows the resolution time for Jira issues created during the annual threat modeling session. The second graph shows the resolution of Jira issues for the threat modeling they do each sprint.

As shown in the first graph, the resolution time is increasing. This is because they had Jira issues that were defined but never resolved. Some of the issues had taken nearly 3 years to resolve.
The second graph shows an increase in resolution time. This is because Admincontrol had a component that didn't get finalized. It stayed on the drawing board, but the threat modeling was done, so the resolution time spiked. There are no data prior to 2023, as they didn't keep this form of statistics before then. On average, the resolution time for the short threat modeling sessions were ca. 3 months. This usually coincided with the frequency of their minor releases, which included new features.

If you do long, large sessions, you run the risk of doing threat modeling irregularly, meaning you will have issues you will never be able to solve, and issues meant to improve security will stay in the development team's backlog forever, never to see the light of day. If you think technical debt is scary, wait until you see your security debt.

Credits

We want to thank everyone who has made this possible. Especially, we want to thank

Adrian Sroka, for bringing us the Agentic AI, Cloud, and Frontend suits for the new game and creating online pages and mapping his threats to OWASP AISVS, AITG, Top 10 Agentic Apps, and Top 10 for LLM, Mitre Atlas, and STRIDE.

Mateusz Hubala, for bringing us the DevOps suit for the game and creating online pages and mapping his threats to OWASP SAMM and DSOMM, CAPEC, and STRIDE.

Moritz Krause & Torben Neumann, for bringing us the LLM suit for the game and mapping their threats to OWASP AISVS, AITG, Top 10 for LLM, Mitre Atlas, CWE, and STRIDE.

Colin Watson for bringing us the Automated Threats suits and mapping his threats to OWASP Automated Threats to Web Applications.

We also want to especially thank Ayman Algamal, Adarsh Kumar, Abhijit Sahoo, and Mradul Tiwari for helping develop the game, now available at copi.owasp.org, and for creating the help pages at cornucopia.owasp.org.

And we want to thank all project leaders and contributors to the OWASP projects that have provided valuable input and guidance on the OWASP Top 10, OWASP AISVS, and the OWASP GenAI Security project. We also want to thank the people and contributors to Mitre's Common Attack Pattern Enumeration and Classification (CAPEC™) and Mitre Atlas™, and the Cloud Security Alliance for the use of the Cloud Controls Matrix, which are all used in the cross-references provided.

In addition, we want to thank Anand kushwaha, Mahaboobunnisa Md for helping with the release of v3.0.0 and CyberSec Games for all the help and support with the printing and distribution of the 25th anniversary edition.

Final words

OWASP Cornucopia welcomes any input or improvements you might be willing to share with us. For anyone wanting to share their opinion, please don't hesitate to visit our repository, share your feedback, and, if appropriate, give us a star⭐️.

OWASP is a non-profit foundation that envisions a world with no more insecure software. Our mission is to be the global open community that powers secure software through education, tools, and collaboration. We maintain hundreds of open source projects, run industry-leading educational and training conferences, and meet through over 340 chapters worldwide.

The Cornucopia of Gamified Threat Modeling

Johan Sydseter — Tue, 24 Mar 2026 09:55:15 +0000

At the OWASP Cornucopia project, we are done with updating the cards and help pages for the Website App Edition v3.0: https://cornucopia.owasp.org/edition/webapp/VE2/3.0

We would like to thank everyone who contributed to the translations for the new version of the card game and welcome you to review the text on the help pages themselves. Are there inconsistencies? Is there something you feel should be added or removed? If you find anything, please don't hesitate to contact us or raise an issue. Each page includes a "View source on GitHub" button that lets you quickly edit the text if you aren't pleased with it. All viewpoints and critiques are welcome as we are trying to create a home for gamified threat modelling.

The new Website App Edition v3.0, available in 11 languages (EN, ES, FR, HI, NL, NO-NB, PT-PT, PT-BR, RU, UK, HI), connects 202 CAPECs individually to a set of ASVS 5.0 requirements in relation to each of the cards. This means, even though you only have 80 cards, the website describes an exponential number of possible threats, making it the Cornucopia of website app threats. There is simply no end to the possibilities that your thoughts can take you while playing the game, yes, that's the Cornucopia way.
But what if you want to focus on a specific CAPEC and find the related OWASP ASVS requirements?
Go to a card, click on the CAPEC in the CAPEC map, and it will give you all the possible OWASP ASVS combinations, thereby connecting attack patterns and security requirements, making a thorough and deep website security requirement analysis possible while discussing a specific card. You can literally spend weeks analysing, playing, deciding for yourself "What can go wrong?", "What to do about it?", and even form yourself an opinion on whether you really did a good job (see: Shostack's Four Question Frame for Threat Modeling).

Have we stopped there? Now we haven't! For each card, you also have the "OWASP Cheat Sheet Series Index". What is that? The "OWASP Cheat Sheet Series Index" is an OWASP index that connects each of the ASVS requirements with a set of OWASP Cheat Sheets that will give you advice on how to implement the specific OWASP ASVS requirement! Want to know how to do log protection according to "OWASP ASVS V16.4 - Log Protection"? No problem! The "OWASP ASVS (5.0) Cheat Sheet Series Index" displayed on the help pages for each card will take you to the collection of OWASP Cheat Sheets that is related to the requirement you are wondering about.

But there is even more! What about STRIDE? What about Threat Modeling? Each card has a STRIDE section, a "What can go wrong?" section and a "What are we going to do about it?" section.

This means that during your threat modeling, if you have questions about "What can go wrong?" or "What are we going to do about it?" Just go to the individual card pages, and you will find what you are looking for!

Now, you may be asking yourself, "That's it, right? No, it isn't, we have even moooooooore!

Threat Dragon and EoP Games

When choosing a tool for publishing our threat model, we chose OWASP Threat Dragon. OWASP Threat Dragon is a free, open-source, cross-platform threat modeling application. It is used to create threat modeling diagrams and list threats for elements within the diagrams. Mike Goodwin created Threat Dragon as an open-source community project that provides an intuitive, accessible way to model threats.

OWASP Threat Dragon has released this possibility in v2.6. This is just the start of integration between the two projects.

Thanks to Gerardo Canedo and his students at Universidad Católica del Uruguay, it's now possible to create your OWASP Cornucopia Threat Model directly in OWASP Threat Dragon. When creating a new diagram for your threat model, simply choose to create an EoP Games diagram. We chose to call the diagram EoP Games for two reasons. One, OWASP Cornucopia is derived from the Elevation of Privilege game created by Adam Shostack. Two, we don't want to stop with OWASP Cornucopia. We also want to add other EoP games, such as the original EoP Game.

Once you have created an EoP Games diagram, you can add OWASP Cornucopia threats to your threat model. The specific threat you add will get a link reference to the OWASP Cornucopia website, where you will find guidance on threat modeling and STRIDE, which will help you in identifying what can go wrong and what to do about it. You can also find a complete mapping to OWASP ASVS, OWASP Developer Guide, and all relevant CAPECs.

I want to express my sincere appreciation to Gerardo Canedo, Sebastian Feirres, and their students at Universidad Católica del Uruguay for making this possible. With their dedication and effort, OWASP Cornucopia wouldn’t have had this possibility.

Shostack's 4 Question Frame for Threat Modeling

OWASP Cornucopia, together with OWASP Threat Dragon, is helping us in answering:

What we are working on
What can go wrong?
What are we going to do about it?

...but "Did we do a good enough job?"

At Admincontrol, where I work, we have always sent an anonymous survey after every OWASP Cornucopia threat modeling session. The aggregate score for how satisfied respondents have been with all sessions we've held since we started OWASP Cornucopia in 2023 is 4.5 out of 5. When asked how relevant the session was to the participant's job, the average score was 4.7 out of 5. When asked whether the OWASP Cornucopia session helped the participants understand which security controls (mitigations) they need to implement/test, the score was 4.5. When asked whether the session improved the overall awareness of application security requirements, the score was 4.0. When asked, "Did we do a good job?", the score was 4.3. So for sure, we can do better!

When asking the question, "Did we do a good enough job?", don’t just blurt it out during a session. Do you honestly think people will give you their honest criticism to your face directly? Send out an anonymous survey and ask for feedback!

How to get those requirements into your issue tracking software

So you have done your threat modeling and security requirement analysis, what comes next? You need to create an issue that the development team can work on, and you need to add it to the development team's sprint. How do you do it?
The OWASP Cornucopia project is creating a requirements API that lets you harvest the security requirements you want. After you have created your threat model in OWASP Threat Dragon, extract its JSON response, look up the threats you have identified, and find the corresponding security requirements by using the API, merge the results together, and generate your evil user stories by pushing the results to your issue tracking software just in time for the development team's next sprint.

How to get OWASP Cornucopia?

The question you might be asking yourself is, "How are we going to be able to utilize these resources and play this game?" No problem! There are various ways you can do that, both online at copi.owasp.org and in person, enjoying the presence of your colleagues, by buying a deck of cards.

What is coming next...

But what about DevOps? What about LLM and AI Agents? We are working on that too. The new OWASP Cornucopia Companion Edition, that soon will be published, can be used alongside the OWASP Website App Edition and it comes with 6 new companion suits covering new topics: Agentic AI (AAI), Automated Threats (BOT), Cloud (CLD), Frontend (FRE), Large Language Models (LLM), and DevOps (DVO). A suit in the companion deck may replace (or be used in addition to) suites in the existing Website Edition so that the players can add a specific focus to their threat modeling: For example, say you are building an LLM application and want to perform threat modeling specifically for LLM. You would then use the OWASP Cornucopia Website Edition and the LLM companion suite as your elected OWASP Cornucopia focus area.

OWASP Cornucopia is publishing it’s darkest secrets!

Johan Sydseter — Mon, 16 Feb 2026 06:39:00 +0000

Why do we keep our darkest fears secret? Publish them, and bring light to the darkest corners of your web application.

When Adam Schostack + associates last year urged everyone to publish their threat model, we thought, «What a wonderful idea!»

So we went ahead and did just that. At cornucopia.owasp.org, you can now find the threat model for the OWASP Cornucopia Game Engine, Copi.
There we have listed all our darkest fears and secrets. Darkness is not a force of its own; it is simply the absence of light. When light is shed on our doubts and fears, making them visible, we find solutions and become stronger. This is why publishing your threat model is essential. If you refuse to disclose your vulnerabilities to anyone, they become liabilities that may one day lead to doubts, lies, and perhaps even conspiracies and litigation. Therefore, before building software, build trust and make it clear what others need to be aware of.

Threat Dragon and EoP Games

OWASP Threat Dragon will release this possibility in v2.6, which is due to be released in week 9, but already now, you can try it out on their demo site. This is just the start of integration between the two projects; more is to come. OWASP Threat Dragon V2.6 will come out with all sorts of exciting features. For a full list, have a look at their current v2.6 roadmap.

Shostack's 4 Question Frame for Threat Modeling

OWASP Cornucopia, together with OWASP Threat Dragon, is helping us in answering:

What we are working on
What can go wrong?
What are we going to do about it?

...but "Did we do a good enough job?"

OWASP Cornucopia welcomes any input or improvements you might be willing to share with us regarding our current threat model. Arguably, we created the system before we were able to identify all our threats, and several improvements need to be made to properly balance the inherent risks of compromise against the current security controls. For anyone hosting the game engine, please take this into account. For anyone wanting to share their opinion, please don't hesitate to visit our repository, share your feedback, and, if appropriate, give us a star⭐️.

OWASP Cornucopia 3.0 - A call for card game designers!

Johan Sydseter — Thu, 13 Nov 2025 12:24:59 +0000

Would you like to be our card game designer for the OWASP Cornucopia Website Edition v3.0?

We are close to releasing the next version of OWASP Cornucopia Website Edition v3.0

We wonder whether there are some brilliant designers out there who would like to volunteer to create the motifs for the 80 cards in OWASP's very popular threat modeling card games for website applications?

OWASP® Cornucopia is a threat modeling tool in the form of a card game to assist software development teams in identifying security requirements in Agile, conventional, and formal development processes. It strives to be language, platform, and technology-agnostic.

It’s one of the few tools that connects threat modeling with OWASP ASVS, SAFECode, STRIDE, OWASP DevGuide, and CAPEC, helping to identify security requirements, develop a secure design, and create a threat model without prior knowledge of these frameworks.

We are now creating the next version of the website app game. The new version will feature new cards and text that cover all of the requirements in OWASP ASVS 5.0 and connect these to more than 210 unique common attack patterns (CAPEC).

The first edition was created in August 2012, released as v1.0 in February 2013, and has undergone several minor updates/releases over the subsequent ten years. This has been substantially updated in today’s release of v3.0, with the most noticeable change being the update of the OWASP ASVS mapping from ASVS v4.0 to v5.0. The card game comes in two physical sizes. The smaller ones are often referred to as “bridge-sized cards” and the larger ones as “Tarot-sized cards”. All these v3.0 files will be immediately available in nine languages (English, Spanish, French, Dutch, Norwegian, Portuguese, Italian, Russian, and Hungarian) due to the efforts of past and current volunteers.

Don't hesitate to get in touch with us for fame and glory.

Uncover the security flaws in your software's design before the bad guys do it for you! Get your team together on a call or in a room and use OWASP Cornucopia Web & Mobile, Elevation of Privilege or Elevation of MLSec and OWASP Cumulus to secure your AI models and Cloud infrastructure respectively and guide your threat modelling at copi.owasp.org, and if you visit our code repository please give us a star ⭐️.

How do you get your dev team to shift left by themselves for real?

Johan Sydseter — Fri, 03 Oct 2025 07:12:03 +0000

Shift-left doesn't start with scanning the code for security vulnerabilities; it begins with designing it. Play yourself secure with OWASP Cornucopia Website Edition v2.2

Too often the shift-left mantra consists of implementing AI code scanning and applying AI-powered security fixes for remediation. Also, don't forget to implement the AI-powered benchmark for AI-Powered Security Fixes. We're not telling you to stop using these tools, instead, we want to ask ourselves:

What are we working on?
What can go wrong?
What are we going to do about it?
Did we do a good job?

Source: Shostack's Four Question Frame for Threat Modeling

Secure design starts with understanding what we are working on, asking what can go wrong and what we are going to do about it. I'll leave that to the AI-assistants you say?
Before you do, know that the "2025 GenAI Code Security Report" from Veracode shows that after a comprehensive analysis of over 100 large language models across 80 coding tasks spanning four programming languages and four critical vulnerability types, only 55% of AI-generated code was secure (AI-Generated Code: A Double-Edged Sword for Developers, 09.09.2025). We don't doubt that, eventually, the machines will take over the world, but in the mean time, don't forget to ask yourself what can go wrong.

And what does the industry standard for infosec management say about writing secure code?

If you happen to be ISO 27001 certified and are writing code, you should know that the control you have called: "ISO 27002: 8.28 Secure coding", says that: "Planning and prerequisites before coding should include: ... g) secure design and architecture, including threat modelling".

But, how can you possible do that in an agile and fun way?

Visit copi.owasp.org and play OWASP Cornucopia, Elevation of MLSec, Elevation of Privilege or OWASP Cumulus with your team.
Games aren't just for fun, they can be serious tools too, and that is what we are doing with OWASP Cornucopia. We are making threat modeling for everyone, everywhere, and we have a special love for agile teams that want to do continuous threat modeling as part of their development sprints. Don't believe us? See how long-time project contributor Max Alejandro Gómez Sánchez Vergaray has created a video to explain how he has trained hundreds of teams to use OWASP Cornucopia in abuse case modelling sessions at a major international bank. This approach has scaled to over two-thousand developers to date.

In our next version of OWASP Cornucopia Website App Edition version 2.2 we have a special treat for you. We have gathered together all our threat modeling expertise, created threat modeling scenarios for each card and analyzed which STRIDE categories each of these scenarios belong to. If you have bought a OWASP Cornucopia deck with QR codes you can now give your team advice on threat scenarios, threat vectors, attack patterns, mitigation strategies and STRIDE when playing the game by letting them scan the QR codes on each card. Each scenario follows "Shostack's Four Question Frame for Threat Modeling" making it easy for your security champions to come up with the threats and mitigations themselves.
In addition, we have added additional CAPECs that corresponds to each card and added references to the OWASP Developer Guide's Web Application Checklist that will link your threat modeling to OWASP secure coding practices and the OWASP Top 10 Proactive controls, this, thanks to Jon Gadson from the OWASP Developer Guide project.

We are just getting started, in fact, this is just the first step. We will continue to bring threat modeling to everyone, everywhere, and will continue to do so in the time to come.
Next time we will also talk about the last question: "Did we do a good job?"
Why? Because we want the game to be used in iterative security processes that involves continually adapting security measures in cycles to identify, address, and reassess threats and vulnerabilities, making continuous improvements rather than a one-time fix.

Stay tuned.

How to use OWASP Cornucopia cards together with the OWASP Cornucopia website

A - Preparations
- A1. Obtain a deck, or print your own Cornucopia deck and separate/cut out the cards
- A2. Identify an application or application process to review; this might be a concept, design or an actual implementation
- A3. Create a data flow diagram, user stories, or other artefacts to help the review
- A4. This will help answer the question: "What are we working on"
- A5. Identify and invite a group of 3-6 architects, developers, testers and other business stakeholders together and sit around a table (try to include someone fairly familiar with application security)
- A6. Have some prizes to hand (gold stars, chocolate, pizza, beer or flowers depending upon your office culture). See our "Prizes and Swags" section for ideas.
B - Play
One suit - Cornucopia - acts as trumps. Aces are high (i.e. they beat Kings). It helps if there is someone dedicated to documenting the results who is not playing.
- B1. Remove the Jokers and a few low-score (2, 3, 4) cards from Cornucopia suit to ensure each player will have the same number of cards
- B2. Shuffle the pack and deal all the cards
- B3. To begin, choose a player randomly who will play the first card - they can play any card from their hand except from the trump suit - Cornucopia
- B4. To play a card, each player must read it out aloud, and explain how (or not) the threat could apply (the player gets a point for attacks that work, and the group thinks it is an actionable bug) - don’t try to think of mitigations at this stage, and don’t exclude a threat just because it is believed it is already mitigated - someone record the card on the score sheet
- B5. B5. If a player get stuck, ask them to scan the QR code on the card to access the online card page and read the section called: "What can go wrong?" or click the "more info" links if playing Copi (the online Cornucopia version) or just browse the card from the deck at cornucopia.owasp.org while playing
- B6. Play clockwise, each person must play a card in the same way; if you have any card of the matching lead suit you must play one of those, otherwise they can play a card from any other suit. Only a higher card of the same suit, or the trump suit Cornucopia, wins the hand
- B7. The person who wins the round, leads the next round (i.e. they play first), and thus defines the next lead suit
- B8. Repeat until all the cards are played
C - Scoring
The objective is to identify applicable threats, and win hands (rounds)
- C1. Score +1 for each card you can identify as a valid threat to the application under consideration
- C2. Score +1 if you win a round
- C3. Once all cards have been played, whoever has the most points, wins
D - Closure
- D1. Review all the applicable threats and the matching security requirements.
- D2. Ask the group: "What are we going to do about it?". Use the QR codes on the physical cards or "more info" links if playing Copi and read the "What are we going to do about it?" section
- D3. Create user stories, specifications and test cases as required for your development methodology and add them directly into your issue tracking software under the what you are working on

OWASP Cornucopia Companion Edition

Johan Sydseter — Wed, 06 Aug 2025 14:35:30 +0000

At OWASP Cornucopia we have long stated that we will create more decks, and now we will!

To provide more possibilities for doing threat modeling while playing games, OWASP Cornucopia would like to welcome all OWASP members and OWASP Cornucopia enthusiasts to create the OWASP Cornucopia companion deck!

The companion deck will contain a number of optional card enhancements - each one a single suit covering a particular application security topic, and intended to be used in conjunction with the existing OWASP Cornucopia Website Edition. A suit in the companion deck may be used to replace a suit in the existing Website Edition, so that the players can add a specific focus for their threat modeling.

For example, say you are building an IoT application and want to perform threat modeling specifically for IoT. If that is the case, you can use the OWASP Cornucopia Website Edition together with the IoT companion suit as your elected OWASP Cornucopia focus area.

Each of the attacks on the cards belonging to the various suits will showcase AppSec requirements from different OWASP projects and beyond, commemorating and celebrating the 25th anniversary of the OWASP Foundation next year. In addition, we would like the case, the leaflet with the instructions, and the face of the cards to be illustrated for this very same purpose.

Join us to take gamified threat modeling to the next level and celebrate the OWASP Foundation's achievements within application security worldwide. We welcome suggestions on what the focus areas of the extension suits in the companion deck should be, which OWASP projects are most relevant for these, and contributors to write the attacks for each card. We are thinking of up to six companion deck suits. Get in touch….

Github: https://github.com/OWASP/cornucopia/discussions/1548
Linkedin: https://www.linkedin.com/in/sydseter/
Bluesky: https://bsky.app/profile/sydseter.com
Mastodon: https://mastodon.social/@sydseter

Learn how to play OWASP Cornucopia or Elevation of Privilege:

No need to fear the clouds. Play OWASP Cumulus!

Johan Sydseter — Thu, 26 Jun 2025 09:32:39 +0000

The clouds can be a scary place. All these machines that simply aren't yours. So, how can you make sure you continuously keep your cloud infrastructure secure? OWASP Cumulus is the easy way to bring security into the cloud and your DevOps teams. Play it at copi.owasp.org thanks to Christoph Niehoff and OWASP Cumulus!

As a variant of the card game Elevation of Privilege it follows the idea to threat model a system via gamification. This lightweight and low-barrier approach helps you find threats to your DevOps or cloud project and teaches the developers a security oriented mindset.

Threat Modeling

The idea of threat modeling via serious games goes back to the card game Elevation of Privilege by Adam Shostack. The basic idea is to bring the developers to the table and get them start discussing the security of their system. For this, a card game serves as a guide through a catalogue of threats. It is designed to be low-barrier and naturally embeddable within agile development processes.

While we at OWASP Cornucopia have been focusing on creating games focused on web- and mobile application security, we have felt that the specific needs of the DevOps team working in cloud environments have been missing. OWASP Cumulus seeks to fill this gap and provides a custom card deck with threats to cloud systems.

Continuously Assessing your Security

The point here is not do just do your initial security risk assessment and be done with it, but to continuously look for new threats on a regular basis as you expand your infrastructure according to the Threat Modeling Manifesto.

"Continuous Threat Modeling", a term described in "Threat Modeling: A Practical Guide for Development Teams" by Izar Tarandach & Matthew J. Coles is essential to keep your applications and infrastructure secure as you expand your system with new features and machines and increase the attack surface. Gamifications can help getting started doing just that. So why would you want to continuous threat model your infrastructure and applications? Isn't it enough just to do a thorough and deep check up now and then? At Admincontrol, where I work, we thought so as well!

At Admincontrol, we where using threat modeling to threat model our applications. We have been having a large session that we only are able to do once a year, and several smaller sessions that we do for each sprint. We define Jira issues meant for mitigating these threats and assign them directly to the development team's backlog. Then we have security backlog grooming once a month with the product owners and discuss directly with them how we can get these issues resolved.

The first graph shows the resolution time for the Jira issues that are created based on the threat modeling session we do once a year. The second graph shows the resolution graph for Jira issues for the threat modeling that we do each sprint.

Graph 1:

Graph 2:

As you can see, in the first graph, the resolution time is just increasing. This is because we have Jira issues that are defined but never resolved. Some of the issues have taken close to 3 years to resolve!

The second graph shows a bump where the resolution time spikes. This is because we had a component that didn't get finalized. It stayed on the drawing bord, but the threat modeling was done so the resolution time spiked. We have no data before 2023 as we didn't do this type of threat modeling before 2023. On average, the resolution time for the short threat modeling sessions is ca. 3 months. This usually coincides with the frequency of our minor releases that contains new features.

Conclusion

If you do long and large sessions, you run the risk of both doing threat modeling irregularly, meaning that you will have issues you never are able to solve, and having issues meant to improve the security staying in the development team's backlog forever, never to see the light of day. If you think that technical debt is scary, wait until you get to see your security debt. Not assessing how your security is doing on a regular basis isn't only very expensive, it can leave you open for threats as well. This is why continuous threat modeling is so important. Don't let your business spiral out of control, consciously assess how you are doing by continuously threat model your applications and infrastructure.

How to play OWASP Cumulus

Go to: https://copi.owasp.org/games/new
Select OWASP Cumulus from the drop-down list
Make sure you have done all the preparations
Then click: Create the Game
Send the link to 3 players
Once 3 players have join, click start the game.

OWASP Cornucopia

Learn how to play OWASP Cornucopia or Elevation of Privilege:

Does the AI do the threat modeling of your software?

Johan Sydseter — Wed, 11 Jun 2025 19:26:57 +0000

Are you letting the AI do the threat modeling for you? There is no need to let the machines take over the world! Threat model using Elevation of MLSec on copi.owasp.org instead. Our survival depends on it! At copi.owasp.org you can now play Elevation of MLSec to threat model your AI models.

Elevation of MLsec is an unofficial Machine Learning Security (MLsec) extension of Microsoft's Elevation of Privilege threat modeling card game. These playing cards portray risks associated with machine learning (ML) that have been identified by research groups. It is suitable to play this game with or without the original Elevation of Privilege deck depending on the nature of what you're threat modeling. The intention of these cards is primarily to improve the security of ML systems themselves, as opposed to using ML for security.

The work is based mainly on Berryville Institute for Machine Learnings (BIML)’s architectural risk analysis for machine learning systems (BIML-78) and their LLM analysis (BIML-LLM24), found on berryvilleiml.com. The game also adds a few somewhat supplementary LLM specific threats from OWASP’s TOP 10 list for Large Language Model Applications found on owasp.org.

The game was created by Elias Brattli Sørensen and designed by Jorun Kristin Bremseth while working at Kantega. You can download the design files from their repository if you would like to print a physical version of the game.

Version 2.3 of OWASP Cornucopia brings with it "Elevation of MLSec" as an option when you select a new game at copi.owasp.org. If you like, it's also possible to install Copi yourself. Read more about that here: https://cornucopia.owasp.org/copi

Personally, I am very happy about their game and have used it myself to threat model our new AI features that we are delivering at Admincontrol, and you should do it too. Don't leave the threat modeling up to the AI or it may take over the world!

How to play Elevation of MLSec

Go to: https://copi.owasp.org/games/new
Select Elevation of MLSec from the drop-down list
Make sure you have done all the preparations
Then click: Create the Game
Send the link to 3 players
Once 3 players have join, click start the game.

OWASP Cornucopia

Learn how to play OWASP Cornucopia or Elevation of Privilege:

OWASP® Cornucopia 2.2 & Copi - A Game Engine for OWASP® Cornucopia Threat Modeling

Johan Sydseter — Mon, 19 May 2025 22:48:09 +0000

The pandemic drove a considerable increase in fully remote teams, which made card games quite difficult to organize. Therefore, in 2022, Grant Ongers was willing to bet a dinner at a fancy vegan restaurant that his former colleague Toby Irvine wouldn't be able to build a fully fledged and online game engine based on the game Cornucopia (from the OWASP® Foundation) over the weekend.

A weekend later, Copi was born, and Grant lost the bet.
Built with Elixir and Phoenix, 3 years later, Copi is nearing almost 10.000 monthly users. You can read more about Toby's story on the Secure Delivery Blog.

A new release & new server

There is now a new release of OWASP Cornucopia 2.2 to celebrate a new milestone in the project's history.
We have been able to push the application onto OWASP® Foundation’s Fly.io account so that you can enjoy the game. We have also updated the Elevation of Privilege game, which we also host, to include the cards that were missing from the original release of EoP, thanks to Adam Shostack, who made sure his game was open-sourced: https://github.com/adamshostack/eop

Finally, if you have stringent security policies that don't allow you to use public online services, no worries, you can run copi.owasp.org yourself on your own account and make sure nobody can access the service. We encourage you to install "Copi - The Cornucopia Game engine" and contribute to the project. Doing this is pretty straightforward. You can choose from installing it on Heroku.com or Fly.io. We Recommend Fly.io as they support BEAM Clustering.

This is how you do it…

You'll need to install Elixir and flyctl in order to launch the app. See: https://github.com/OWASP/cornucopia/tree/master/copi.owasp.org#get-elixir. Log in to fly and create a PostgreSQL cluster. See: https://fly.io/dashboard/ (Click managed postgres in the menu). 1 GB of memory and 10GB of storage for the database are enough.

git clone https://github.com/OWASP/cornucopia.git
cd cornucopia/copi.owasp.org
fly auth login
fly launch --no-deploy

Make a note of the host, the app's name, and the PostgreSQL cluster's name. Then deploy the app from ./copi.owasp.org

fly mpg attach <cluster name> --app <app name>
fly deploy --app <app name> --env PHX_HOST=<app hostname without 'https://'>
fly scale count 2 --app <app name>

The app will be deployed with a PostgreSQL database and two instances. The monthly cost is no more than 14$.

Adding new card games with the same game rules as EoP or OWASP® Cornucopia is also easy. If you have any ideas and suggestions for security related card games then submit a request on https://github.com/OWASP/cornucopia and please don't forget to give us a star.

dotNET lab OWASP Cornucopia decks

Thanks to dotNET lab and Jef Meijvis, all prior decks sold on their website now have QR codes that are redirected towards our new website. This means that if you have an old dotNET lab OWASP Cornucopia deck, then you don’t need to be afraid that your deck will become outdated when there is a new release of OWASP Cornucopia Website Edition. The QR code on the card will take you to the latest version on cornucopia.owasp.org with the newest requirement mapping.

OWASP 2025 Global AppSec EU

We will be attending the OWASP 2025 Global AppSec EU, and if you are heading there, you can join us at our demo lab, where you will learn to play the game in an all-new way. Expect confetti, swag (yes, you read right, swag, valued just below the corruption limit), and illegal bribes as we venture into the dark side of OWASP Cornucopia.
We will also be showcasing OWASP Cornucopia at the project showcase track. If you are headed there, you may be in for a surprise. Can't wait to see you there!

OWASP Cornucopia

Learn how to play OWASP Cornucopia:

OWASP® Cornucopia Website App 2.1 & Mobile App 1.1!

Johan Sydseter — Fri, 14 Feb 2025 09:29:28 +0000

OWASP® Cornucopia is launching brand-new versions of the OWASP Cornucopia decks with QR codes and a new website that will make threat modeling, security requirement gathering and security design much easier.

Each of the QR codes will take you to a brand new OWASP Cornucopia website where you can further explore each card and the security requirements and -controls connected to them (see: https://cornucopia.owasp.org/ ).
This will help scale secure design and requirement gathering activities for your development teams and empower them to do application security in a more agile way.

A new OWASP Cornucopia website

In recent years, other OWASP projects have created their own custom websites to have greater control over content and layout. With the recent successful codification of all the Cornucopia materials for both the Website App Edition and Mobile App Edition, our project has now also created a custom website using an owasp.org

subdomain:

https://cornucopia.owasp.org

We would like to thank dotNET lab for donating their website code for this development. Volunteer Jef Meijvis were instrumental in making the website with the help from the rest of the project team. All the source code is located in our repository, providing a way to maintain consistency by using some of the same data sources. The website's repo is at:

https://github.com/OWASP/cornucopia/tree/master/cornucopia.owasp.org

This has allowed us to add a news section, and reinstate an extended version of the Wiki Deck, originally created by former co-leader Darío De Filippis, combining information from that and new content and code kindly donated by dotNET lab. There are now fully browsable cards for both editions (Website app and Mobile app) and which can also be examined by mapping taxonomy (e.g. OWASP ASVS, OWASP MASTG, OWASP Top Ten):

https://cornucopia.owasp.org/cards

https://cornucopia.owasp.org/taxonomy

The card URLs will be the unique end points linked from QR codes on printed cards, and which include guidance, tips and all the taxonomy lookups, making it easier to alter and extend these whenever we want. Recent new additional volunteer names have now been added in the acknowledgements.

New translations

In addition to the new versions of the editions and the OWASP Cornucopia website, the new release also comes with two new translations "PT-PT" (Portuguese-Portugal) and "IT" (Italian) thanks to André Ferreira ( @AndreFerreiraMsc ) and Ruggero DallAglio ( @rdallaglio ), respectively. As with previous translations, these are also delivered in 2 sizes, bridge and tarot, both with and without QR codes in addition to also being delivered as legacy guide documents. The new translations will be available in digital formats for download and print-on-demand.

Printing of the new decks

Additionally, dotNET lab is going to sell the OWASP Cornucopia decks on their web shop (see: https://cornucopia.owap.org/webshop). Both the Website App & Mobile App editions will come with QR codes printed on them.
The new versions of the decks are currently in the process of being printed, but we will keep you informed when these are ready, in the mean time, it's possible to buy the 1.0 Mobile App Edition and 2.0 Website App edition from AgileStationary.

Threat modeling as a tool for shifting security efforts left

In Admincontrol, where I work, we were struggling to get the developers to participate actively in threat modeling sessions. Most of them would usually stay quiet and too embarrassed to participate in the conversation. They would rely heavily on the input from security engineers and security champions to formulate security requirements and -controls needed in order to implement security design and -architecture.
They rarely took initiative during threat modeling sessions or helped to do threat modeling and requirement gathering. We also found that testers would only focus on testing the functional requirements for the software implementation under test and never do penetration testing themselves.

We therefore came to the realization that we needed to give the development teams a set of already defined applicable threats and risks they could choose from and talk about and that could work as triggers to help them come up with security requirements and -controls themselves.

Doing so, in the form of a game, helped increase the participants' ownership over the process, although it was the cards that were speaking, they were the ones that were choosing, explaining, scoring points and getting the attention.
This tremendously helped increase motivation and ownership over the process and has been key in scaling application security for companies doing software development. It’s no longer hard to elect security champions from the teams, and threat modeling, planning and testing is much easier to execute than before.
As application security engineers no longer are bottlenecks in the agile development processes, scaling application security efforts has become much easier. Cornucopia is empowering and teaching the development teams how to do threat modeling, what to test and implement, what to plan and how to execute security work. It is helping us to deliver faster, make the teams more independent, and shifting security efforts left. Application security engineers are needed, but the focus is turned towards facilitation, cheerleading and training.

We are looking for your support

OWASP Cornucopia is about community. We would have gotten nowhere without the help of all the people that has supported OWASP Cornucopia over the years. This is why, when making the first version of OWASP Cornucopia, Colin Watson though it would be a great idea if the threat actors on the cards had the names from members and employees from the OWASP Foundation. The Mobile App edition follows that tradition. That is why we picked threat actor names, for the threat scenarios on the cards, from OWASP Global board, OWASP Staff, project members and OWASP chapter leaders from around the world, but we still need your support. We are looking for volunteers that would like to help us improve the new website and that would like to help translate the materials into various languages to ensure that developers who don't have English as their mother tongue, understand the security requirements and controls presented to them. We are also looking for ideas and help in maintaining and improving the new website to ensure it becomes a valuable tool for everyone looking at solving application security challenges.

OWASP Cornucopia

Learn how to play OWASP Cornucopia:

How to pass the OWASP MASVS verification by design

Johan Sydseter — Fri, 14 Feb 2025 08:28:17 +0000

In Admincontrol, both our Android app and our IOS app just passed the MASVS 2.0 verification. And we did so by deciding on the security requirements and -controls using a game. Here is how...

In April 2023, OWASP released version v2.0.0 of their “Mobile Application Security Verification Standard.” The new version removes the three verification levels called L1, L2, and R. Security control group verification requirements was reworked as “security testing profiles” and moved to the OWASP Mobile Application Security Testing Guide or “MASTG.” These profiles are now aligned with the NIST (National Institute of Standards and Technology) OSCAL (Open Security Controls Assessment Language) standard. The standard is to be used together with the OWASP Mobile Application Security Testing Guide (MASTG v1.7) that comes with at least 82 tests that a mobile penetration tester should conduct in order to verify that the mobile application follows the MASVS standard.

It can be overwhelming for any mobile development team to go through all the requirements and tests that MASVS and the 575 pages long MASTG guide brings with them, but what if I told you that there is a game for deciding on the initial security requirements, tests and implementation for passing the MASVS verification?

How to pass the MASVS verification by design

In Admincontrol, where I work, we wanted to make a new Android mobile app for our board portal services. As we benchmark the security of our webservices against ASVS L2 and our mobile apps against MASVS L2+R, we needed an agile way of making sure that all the MASVS requirements and the complete MASTG guide (which is 575 pages long) got taken into account when creating the secure design for the new mobile application. Otherwise, we would risk delivering an insecure app to our security aware users and fail the MASVS verification.
Luckily we had discovered a game called OWASP Cornucopia that could be used for identifying application security requirement, create a secure design and do threat modeling. There was just one problem. The game wasn't meant for mobile application development.

I knew that we couldn't just dump the 575 pages long mobile application security test guide in the mobile app developers laps. Doing so, would either prolong the development time extensively, or end up being ignored. Fortunately, the OWASP Cornucopia project was looking at creating a new mobile edition of OWASP Cornucopia. So I got in touch with the OWASP Cornucopia project where Xavier Godard had taken the initiative of making the new edition. Over the course of the next 3 months we finished the new "OWASP Cornucopia - Mobile App Edition". We mapped it to the OWASP Mobile Application Security Verification Standard (MASVS v2.0) and OWASP Mobile Application Security Testing Guide (MASTG v1.7) and created six suits of 13 cards each plus two jokers, with the suit names taken from MASVS: Platform & Code (PC), Authentication & Authorization (AA), Network & Storage (NS), Resilience (RS), Cryptography (CRM) and Cornucopia (CM) which contained threats related to MASVS Privacy requirements, and where we also added some nasty cards related to mobile malware. Then we used the game to identify the mobile application security requirements, do threat modeling, and complete a secure design for our new mobile application.
9 months after we started the mobile application development of the new mobile app, an external company completed penetration testing and MASVS 2.0 verification with a MAS L2+R profile and verified that the mobile app had passed all of the requirements with just one low severity finding.

But why did we go to such lengths of investing tremendous efforts in creating a threat modeling game?

Threat modeling as a tool for shifting security efforts left

In Admincontrol, we had long been struggling to get the developers to participate actively in threat modeling sessions. Most of them would usually stay quiet, too embarrassed to participate in the conversation. They would rely heavily on the input from security engineers and security champions to formulate security requirements and -controls needed in order to implement security design and -architecture.
They rarely took initiative during threat modeling sessions or helped to do threat modeling and requirement gathering. We also found that testers would only focus on testing the functional requirements for the software implementation under test and never do penetration testing themselves. We therefore came to the realization that we needed to give the development teams a set of already defined applicable threats and risks they could choose from and talk about and that could work as triggers to help them come up with security requirements and -controls themselves.

The new OWASP Cornucopia website

This has further been simplified with the new OWASP Cornucopia website and -QR codes that we now are launching. The website will allow the development teams to much more easily find the security requirements and -controls strengthening shift-left and agile application security methodologies. Looking ahead, we will continue to empower the development teams by making it easier to use OWASP Cornucopia together with other OWASP resources. We believe integrating the online solution with other tools will increase productivity and adaptation. Not having the same information in multiple systems will make it easier to keep the information correct and up to date. We will work on increasing the interoperability between OWASP Cornucopia and other OWASP projects. By doing so, we will also help you scale your application security efforts and empower your agile cross functional development teams, and we are looking for others that would like to take part on our journey.

We are looking for your support

OWASP Cornucopia is about community. We would have gotten nowhere without the help of all the people that have supported OWASP Cornucopia over the years. This is why, when making the first version of OWASP Cornucopia, Colin Watson though it would be a great idea if the threat actors on the cards had the names from members and employees from the OWASP Foundation. The Mobile App edition follows that tradition. That is why we picked threat actor names, for the threat scenarios on the cards, from OWASP Global board, OWASP Staff, project members and OWASP chapter leaders from around the world, but we still need your support. We are looking for volunteers that would like to help us improve the new website and that would like to help translate the materials into various languages, this to ensure that developers who don't have English as their mother tongue, understand the security requirements and controls presented to them. We are also looking for ideas and help in maintaining and improving the new website to ensure it becomes a valuable tool for everyone looking at solving application security challenges.

OWASP Cornucopia

Learn how to play OWASP Cornucopia:

How to do threat modeling for agile mobile app development?

Johan Sydseter — Thu, 06 Feb 2025 19:59:33 +0000

Did you know that there is a game for threat modelling mobile apps? In Admincontrol we are using OWASP® Cornucopia to scale our application security efforts. Here is how...

The "OWASP Cornucopia - Mobile App Edition" is mapped to the OWASP Mobile Application Security Verification Standard (MASVS v2.0) and OWASP Mobile Application Security Testing Guide (MASTG v1.7), only available in English, for now. The deck has six suits of 13 cards plus two jokers, with the suit names taken from MASVS: Platform & Code (PC), Authentication & Authorization (AA), Network & Storage (NS), Resilience (RS), Cryptography (CRM) and Cornucopia (CM) which contains threats related to MASVS Privacy requirements, and where we also have added some nasty cards related to mobile malware.

So how do you gamify threat modeling and application security design? I would start with just playing the game. Get a group of people together at your company with an interest in security. It can be testers web developers, mobile developer, doesn’t matter. Buy pizza, beer, candy or coffee get together and just do it. Don’t think about it, have fun and just do it. Why?

Agile Application Security

Because it’s the fastest way of creating value and showing results.
We want a culture of finding and fixing design issues, and we want people collaborating and having fun and we know that everyone is on a journey of discovery. We acknowledge that we do not have all the answers, but we believe we can find them together.
And we want to do it now, we do not want to partake in wishful thinking.
We know it won’t be perfect, but we will continuously refine the process and models as we learn more about what it is we are making.
We want to adapt application security to agile development processes, not the other way around.
And if you want to know more about this, you should check out the Threat Modeling Manifesto where these values come from.

Adam Shostack’s 4 Question Frame for Threat Modeling

And to make is as simple and agile as possible so that everyone can partake and understand the process, we narrow it down to finding the answers to 4 simple questions:

What are we working on?
What can go wrong?
What can we do about it?
Did we do a good job?

(source: Shostack's 4 Question Frame for Threat Modeling)

Enlist a Volunteer Army: Get Others to Help You and Help Them as Well.

It sounds so simple, but it really isn’t because the next part is a little bit more difficult. To make it stick, you need to enlist a volunteer army of security minded people willing to meet on a regular basis. Once every two weeks is enough, but even if it’s just every two weeks, it’s essentially time and resources that those people will invest in spending time with you doing application security work.
And the way you sell it is by saying that it’s a way for you to help each other doing secure agile software development. And that’s it.
They don’t need to be security champions. It just needs to be people representing their development team that want to help with application security.
And the next thing you know, you have one person representing every team doing application security and threat modeling, doing the job on your behalf.
Not so that you don’t need to, but because it’s the only way you can make them feel good about it when they get the recognition for what they have done and collect the price.

Build a Guiding Coalition: Get Everyone on Board

Present what you're doing to your CISO, CTO and product owners, get everyone on board and build a guiding coalition to help you and support you.
If you have already had a group of security minded people that you have done threat modeling with, then this part is easy.
Because even though everyone is asking themselves what this crazy group of people are doing, they will respect it and support it as long as it's working.
So, all you need to do is write down all the whats, the whys and the hows, add them to a presentation, then present it to your CISO/CTO+product owners.
Make sure you make them understand that you will be there and give support, then ask for a pilot project where you can introduce threat modeling for mobile applications.
It can be a new mobile app, a new mobile api or something much smaller. Doesn’t matter how big or small it is.

Get Everyone to Commit

What matters is that you make everyone commit to what you will be doing.
Don’t just do an online session. Buy your plane ticket, book your hotel, and spend 2 days with the mobile development team.
Not all development teams like to draw models, but ask the team to create a simple model. So remember to point out that the model doesn’t need to be perfect. It just needs to show the basic processes, storage, and data flows that they will be implementing.
It shouldn’t take more than 1 hour to complete it, but make sure they understand that it needs to be there before the threat modeling session.

Also, buy some funny prices. If you go to the OWASP Cornucopia website, you will find a lot of suggestions for prices, but it’s better if you use your imagination, come up with some ideas yourself, and make some fun out of it.

But before all of that, get the cards, either go to copi.owasp.org to play the online version, or download the high-res design files from cornucopia.owasp.org and get them printed. You can also buy the physical decks at one of our webshops where you can buy the decks as well. A small part of the profits from the sales goes to the OWASP® Foundation.

Let the Cards Speak and the Team Decide.

You don’t need to be a specialist on mobile application security to lead a OWASP Cornucopia mobile threat modeling session. Letting the team take control over the session themselves is what works best. Once a card is played the player needs to explain how the threat may be applicable to their mobile application. If the rest of the team agrees that it is the case, then the player gets a point. Then later, when adding the specific threat to the threat model, the team can use the references on the card to figure out what they need to do in order to mitigate the threat. It allows the team to immediately create a security focused user story in Jira and connect that to the MASVS and MASTG requirements and tests which should give guidance both in regard to implementing a secure design and create automated tests that can be used in MAS testing.

The Role of the Application Security Engineer

The application security engineer's role, during the game, is to support the team by recording the cards that score points on a score sheet so that you can keep track of what cards are played, and what the team discuss during the game. Later, when the development team create security focused user stories, you can help them to remember what it was they were discussing during the game and which threats they identified as relevant and important for creating a secure design for their application.

When application security engineers no longer are bottlenecks in the agile development processes, scaling application security efforts becomes much easier. Cornucopia is empowering and teaching the development teams how to do threat modeling, what to test and implement, what to plan, and how to execute security work. It is helping to deliver faster, make the teams more independent, and shifting security efforts left. Application security engineers are needed, but the focus is turned towards facilitation, cheerleading and training.

Story board mapping – Create user stories

After you have finished the game, don’t stop there, have a second session with the team where you look at the cards that scored and create security focused user stories. If the scope of what you are building is large, do a storyboard mapping where you group the cards together that share the same MASVS and MASTG references, then get the team to decide what it is they are going to implement and test. If you’re not located at the same location, you can do this by using a Digital solution for agile online collaboration like Figma, or if you’re co-located, just create a large cardboard and either print out the description for each cards with their requirements, or stick the cards themselves to it and let the team create user stories on post-it notes based on MASVS/MASTG and the notes that was taken during the game.

Then don’t forget to ask the product owner, during the session, to add the stories directly into your issue tracking software under the epic that the team is working on. This way, they will be mandated and empowered to implement the security controls they identified in order to finish the epic.

Threat modeling – Keep track of the risk

Also, give the team a threat modeling tool and ask them to add the Jira issues to the threats in the threat model so that the team can keep track of which security controls the team has implemented in order to mitigate the threats they identified.

Don’t forget to celebrate your short-term wins!

And don’t forget to celebrate your short-term wins, present what the team is doing to everyone in the organization, buy pizza and beer, and make noise about how the development team is having success with what they are doing. Wins are the molecules of results, they must be collected, categorized and communicated – early and often – to track progress and energize your volunteer army to drive change.

OWASP Cornucopia

Learn how to play OWASP Cornucopia: