[Owasp-secure-coding-practices] SCP and the draft "OWASP Cornucopia"

Colin Watson colin.watson at owasp.org
Fri Feb 1 13:41:35 UTC 2013

Interestingly this game has been mentioned in the updated PCISSC's
information supplement on PCI DSS E-commerce Guidelines released
yesterday. See 5.10.1:


By extension then, it references the OWASP Secure Coding Practices
Quick Reference Guide.

I'd like to extend the documentation on Cornucopia, and give guidance
on reduced card-decks if you are using a framework that can/could
provide certain security controls, probably referencing this excellent

   OWASP Framework Security Matrix


On 15 August 2012 21:44, Colin Watson <colin.watson at owasp.org> wrote:
> SCP list
> Threats, attacks and security requirements
> --------------------------------------
> I am a fan of Microsoft's Escalation of Privilege (EoP) threat
> modelling card game (published as
> http://creativecommons.org/licenses/by/3.0/us/ ), and find that a very
> useful tool for developers, including those using Agile methods.
>    http://www.microsoft.com/security/sdl/adopt/eop.aspx
>    http://blogs.msdn.com/b/sdl/archive/2010/03/02/announcing-elevation-of-privilege-the-threat-modeling-game.aspx
> But I wanted something a bit more specific for the more common web
> applications, and which fits more closely with OWASP advice and
> guides. I therefore thought it should be based upon the OWASP Secure
> Coding Practices - Quick Reference Guide (SCP). So I have created
> "OWASP Cornucopia - Ecommerce Web Application Edition" which largely
> has the same concepts and game rules as EoP. I also wanted to avoid
> too much jargon and especially using the term "threat modelling" too
> much. Think "identifying security requirements" instead.
> Rather than being a separate project, I thought this could be a
> complementary document, or promotional item, for the SCP project.
> I hope another version could be "OWASP Cornucopia - Mobile App
> Edition", and that would need some rework to cover the OWASP Mobile
> Project's work. Why "Cornucopia"? I was looking for a name of the
> sixth suit and didn't want "miscellaneous" or "other". In EoP, one
> suit is called the same as the game (Elevation of Privilege), so I
> thought we could do something similar. Cornucopia gives an abundance
> of information, and hopefully leads to a prosperous company.
> Cornucopia
> --------------------------------------
> Cornucopia tries to condense most of SCP requirements into 6 suits,
> and this has meant some merging of requirements. The suits are:
> - Data validation and encoding
> - Authentication
> - Session management
> - Authorization
> - Cryptography
> - Cornucopia (everything else)
> Each suit contains 13 cards, and there are two extra Jokers (unlike
> EoP). But like EoP the Aces are "you have invented a new XXX attack",
> leaving 12 cards in each suit. This means some/many cards include more
> than one SCP requirement. The descriptions still have to be phrased as
> an attack but I wasn't keen on beginning every description with "An
> attacker can...", wanting something more engaging, and therefore used
> personal names. These can be thought of as external or internal people
> or aliases for computer systems. I also wanted to reflect the OWASP
> community aspect, so apart from "Alice and Bob", I use the given
> (first) names of current and recent OWASP employees and Board members
> (assigned in no order), and then randomly selected the remaining 50 or
> so names from the current list of paying individual OWASP members. No
> name was used more than once, and where people had provided two
> personal names, I dropped one part to try to ensure no-one can be
> easily identified. No names were allocated specifically to any
> particular attack/defence/requirement. The cultural and gender mix
> simply reflects theses sources of names, and is not meant to be
> world-representative.
> To make the cards semi-universally available, I have created them in
> MS Word and laid them out so they can be printed onto Avery business
> card sheets (85x54mm,10/page). That's currently A4 sheets, so I don't
> know how it works on old-world paper sizes. Ideally it would be nice
> to create some proper print-ready designs, since digital printing onto
> proper playing cards won't be much more expensive, and could be a lot
> cheaper, than the Avery card option. A cheap version can be created by
> printing onto plain paper and slicing them up.
> More information in the source Word document (see below).
> Look-ups
> --------------------------------------
> But I also wanted to try to cross-reference the descriptions on the
> cards with other lists, so they also act as pointers to more-detailed
> resources, and so far have included:
> - ASVS for Web Applications 2009 verification IDs
> - AppSensor detection points
> - CAPEC IDs (still working on this, because there must be a CAPEC for
> every attack)
> - SAFECode security-focused stories in "Practical Security Stories and
> Security Tasks for Agile Development Environments"
> I didn't map to any Top X lists since those change over time, and they
> can be derived from the above anyway. I had intended to list CWE IDs,
> but there would be too many for some, and there are mappings from
> CAPEC and the SAFECode items to CWEs which can be used instead. I have
> mapped the cards to the SCP, just numbering the requirements from 1 to
> 213. The numbers are meaningless other than being an ID. In a new SCP
> edition some numbers might be deleted and new ones (e.g. above 120)
> added. So the ordering of the numbering has no meaning and there are
> no section names. These could be mapped to any future common numbering
> schema.
> These mappings need to be reviewed, and shouldn't be considered
> definitive. The following items are mapped to any cards:
> - ASVS V1(all), V7.9, V8.7, V8.11, V9.6, V12.2, V12.4, V14(all)
> - SCP 82, 97-98, 100, 106, 116, 120, 141, 163-166, 184-188, 193, 202
> I can provide the SCP IDs in an amended version of SCP v2 to anyone
> interested, but didn't want to confuse others by posting it onto the
> wiki.
> Special cards
> --------------------------------------
> The Ace and Joker cards do not have cross-references, so include
> pointers to some other OWASP resources:
> - many of the cheat sheets
> - the 4 guides
> - individual membership
> - Broken Web App VM and Hacking Lab
> Download
> --------------------------------------
> v0.3 is at:
> https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx
> What next?
> --------------------------------------
> At the moment, this has been a sole effort apart from using other
> people's ideas (credits in the document). I am trialling these cards
> out, but would welcome feedback, corrections and improvements.
> - Are the attack statements worded correctly?
> - Does the game work?
> - Are there any duplicates in the attacks?
> - Are any attacks weak (why have some no CAPEC reference?)
> - Is the grammar correct and consistent?
> - Have I manged to use "international English" correctly?
> - Will the text make sense when translated into other languages?
> - Are the mappings correct (any CAPEC, ASVS experts out there?)
> Regards
> Colin

More information about the Owasp-secure-coding-practices mailing list