Why do we keep our darkest fears secret? Publish them, and bring light to the darkest corners of your web application.
When Adam Schostack + associates last year urged everyone to publish their threat model, we thought, «What a wonderful idea!»
So we went ahead and did just that. At cornucopia.owasp.org, you can now find the threat model for the OWASP Cornucopia Game Engine, Copi.
There we have listed all our darkest fears and secrets. Darkness is not a force of its own; it is simply the absence of light. When light is shed on our doubts and fears, making them visible, we find solutions and become stronger. This is why publishing your threat model is essential. If you refuse to disclose your vulnerabilities to anyone, they become liabilities that may one day lead to doubts, lies, and perhaps even conspiracies and litigation. Therefore, before building software, build trust and make it clear what others need to be aware of.
Threat Dragon and EoP Games
When choosing a tool for publishing our threat model, we chose OWASP Threat Dragon. OWASP Threat Dragon is a free, open-source, cross-platform threat modeling application. It is used to create threat modeling diagrams and list threats for elements within the diagrams. Mike Goodwin created Threat Dragon as an open-source community project that provides an intuitive, accessible way to model threats.
OWASP Threat Dragon will release this possibility in v2.6, which is due to be released in week 9, but already now, you can try it out on their demo site. This is just the start of integration between the two projects; more is to come. OWASP Threat Dragon V2.6 will come out with all sorts of exciting features. For a full list, have a look at their current v2.6 roadmap.
Thanks to Gerardo Canedo and his students at Universidad Católica del Uruguay, it's now possible to create your OWASP Cornucopia Threat Model directly in OWASP Threat Dragon. When creating a new diagram for your threat model, simply choose to create an EoP Games diagram. We chose to call the diagram EoP Games for two reasons. One, OWASP Cornucopia is derived from the Elevation of Privilege game created by Adam Shostack. Two, we don't want to stop with OWASP Cornucopia. We also want to add other EoP games, such as the original EoP Game.
Once you have created an EoP Games diagram, you can add OWASP Cornucopia threats to your threat model. The specific threat you add will get a link reference to the OWASP Cornucopia website, where you will find guidance on threat modeling and STRIDE, which will help you in identifying what can go wrong and what to do about it. You can also find a complete mapping to OWASP ASVS, OWASP Developer Guide, and all relevant CAPECs.
I want to express my sincere appreciation to Gerardo Canedo, Sebastian Feirres, and their students at Universidad Católica del Uruguay for making this possible. With their dedication and effort, OWASP Cornucopia wouldn’t have had this possibility.
Shostack's 4 Question Frame for Threat Modeling
OWASP Cornucopia, together with OWASP Threat Dragon, is helping us in answering:
- What we are working on
- What can go wrong?
- What are we going to do about it?
...but "Did we do a good enough job?"
At Admincontrol, where I work, we have always sent an anonymous survey after every OWASP Cornucopia threat modeling session. The aggregate score for how satisfied respondents have been with all sessions we've held since we started OWASP Cornucopia in 2023 is 4.5 out of 5. When asked how relevant the session was to the participant's job, the average score was 4.7 out of 5. When asked whether the OWASP Cornucopia session helped the participants understand which security controls (mitigations) they need to implement/test, the score was 4.5. When asked whether the session improved the overall awareness of application security requirements, the score was 4.0. When asked, "Did we do a good job?", the score was 4.3. So for sure, we can do better!
When asking the question, "Did we do a good enough job?", don’t just blurt it out during a session. Do you honestly think people will give you their honest criticism to your face directly? Send out an anonymous survey and ask for feedback!
OWASP Cornucopia welcomes any input or improvements you might be willing to share with us regarding our current threat model. Arguably, we created the system before we were able to identify all our threats, and several improvements need to be made to properly balance the inherent risks of compromise against the current security controls. For anyone hosting the game engine, please take this into account. For anyone wanting to share their opinion, please don't hesitate to visit our repository, share your feedback, and, if appropriate, give us a star⭐️.
OWASP is a non-profit foundation that envisions a world with no more insecure software. Our mission is to be the global open community that powers secure software through education, tools, and collaboration. We maintain hundreds of open source projects, run industry-leading educational and training conferences, and meet through over 250 chapters worldwide.
Top comments (1)
Love seeing Cornucopia publish its own threat model, it's the kind of transparency that makes you trust a project more. Been spending a fair bit of time around the codebase lately, and seeing this land feels really good. Having used it to run sessions with people new to threat modeling, the STRIDE → ASVS → CAPEC mapping is what always makes it click for them. The EoP Games diagram in Threat Dragon is a solid step forward.
Pumped for 2.6! 🙌