[Owasp-secure-coding-practices] SCP and the draft "OWASP Cornucopia"

Colin Watson colin.watson at owasp.org
Wed Aug 15 20:44:01 UTC 2012

SCP list

Threats, attacks and security requirements

I am a fan of Microsoft's Escalation of Privilege (EoP) threat
modelling card game (published as
http://creativecommons.org/licenses/by/3.0/us/ ), and find that a very
useful tool for developers, including those using Agile methods.


But I wanted something a bit more specific for the more common web
applications, and which fits more closely with OWASP advice and
guides. I therefore thought it should be based upon the OWASP Secure
Coding Practices - Quick Reference Guide (SCP). So I have created
"OWASP Cornucopia - Ecommerce Web Application Edition" which largely
has the same concepts and game rules as EoP. I also wanted to avoid
too much jargon and especially using the term "threat modelling" too
much. Think "identifying security requirements" instead.

Rather than being a separate project, I thought this could be a
complementary document, or promotional item, for the SCP project.

I hope another version could be "OWASP Cornucopia - Mobile App
Edition", and that would need some rework to cover the OWASP Mobile
Project's work. Why "Cornucopia"? I was looking for a name of the
sixth suit and didn't want "miscellaneous" or "other". In EoP, one
suit is called the same as the game (Elevation of Privilege), so I
thought we could do something similar. Cornucopia gives an abundance
of information, and hopefully leads to a prosperous company.


Cornucopia tries to condense most of SCP requirements into 6 suits,
and this has meant some merging of requirements. The suits are:

- Data validation and encoding
- Authentication
- Session management
- Authorization
- Cryptography
- Cornucopia (everything else)

Each suit contains 13 cards, and there are two extra Jokers (unlike
EoP). But like EoP the Aces are "you have invented a new XXX attack",
leaving 12 cards in each suit. This means some/many cards include more
than one SCP requirement. The descriptions still have to be phrased as
an attack but I wasn't keen on beginning every description with "An
attacker can...", wanting something more engaging, and therefore used
personal names. These can be thought of as external or internal people
or aliases for computer systems. I also wanted to reflect the OWASP
community aspect, so apart from "Alice and Bob", I use the given
(first) names of current and recent OWASP employees and Board members
(assigned in no order), and then randomly selected the remaining 50 or
so names from the current list of paying individual OWASP members. No
name was used more than once, and where people had provided two
personal names, I dropped one part to try to ensure no-one can be
easily identified. No names were allocated specifically to any
particular attack/defence/requirement. The cultural and gender mix
simply reflects theses sources of names, and is not meant to be

To make the cards semi-universally available, I have created them in
MS Word and laid them out so they can be printed onto Avery business
card sheets (85x54mm,10/page). That's currently A4 sheets, so I don't
know how it works on old-world paper sizes. Ideally it would be nice
to create some proper print-ready designs, since digital printing onto
proper playing cards won't be much more expensive, and could be a lot
cheaper, than the Avery card option. A cheap version can be created by
printing onto plain paper and slicing them up.

More information in the source Word document (see below).


But I also wanted to try to cross-reference the descriptions on the
cards with other lists, so they also act as pointers to more-detailed
resources, and so far have included:

- ASVS for Web Applications 2009 verification IDs
- AppSensor detection points
- CAPEC IDs (still working on this, because there must be a CAPEC for
every attack)
- SAFECode security-focused stories in "Practical Security Stories and
Security Tasks for Agile Development Environments"

I didn't map to any Top X lists since those change over time, and they
can be derived from the above anyway. I had intended to list CWE IDs,
but there would be too many for some, and there are mappings from
CAPEC and the SAFECode items to CWEs which can be used instead. I have
mapped the cards to the SCP, just numbering the requirements from 1 to
213. The numbers are meaningless other than being an ID. In a new SCP
edition some numbers might be deleted and new ones (e.g. above 120)
added. So the ordering of the numbering has no meaning and there are
no section names. These could be mapped to any future common numbering

These mappings need to be reviewed, and shouldn't be considered
definitive. The following items are mapped to any cards:

- ASVS V1(all), V7.9, V8.7, V8.11, V9.6, V12.2, V12.4, V14(all)
- SCP 82, 97-98, 100, 106, 116, 120, 141, 163-166, 184-188, 193, 202

I can provide the SCP IDs in an amended version of SCP v2 to anyone
interested, but didn't want to confuse others by posting it onto the

Special cards

The Ace and Joker cards do not have cross-references, so include
pointers to some other OWASP resources:

- many of the cheat sheets
- the 4 guides
- individual membership
- Broken Web App VM and Hacking Lab


v0.3 is at:


What next?

At the moment, this has been a sole effort apart from using other
people's ideas (credits in the document). I am trialling these cards
out, but would welcome feedback, corrections and improvements.

- Are the attack statements worded correctly?
- Does the game work?
- Are there any duplicates in the attacks?
- Are any attacks weak (why have some no CAPEC reference?)
- Is the grammar correct and consistent?
- Have I manged to use "international English" correctly?
- Will the text make sense when translated into other languages?
- Are the mappings correct (any CAPEC, ASVS experts out there?)



More information about the Owasp-secure-coding-practices mailing list