[Owasp_cornucopia] Experience of my First Use with Development leads

Colin Watson colin.watson at owasp.org
Tue Jul 2 10:24:52 UTC 2013


Thank you, this is very helpful feedback. Comments inline:

> Printed the cards and sat down 3 senior development leads
> Brief I gave them was
> ·         We play a hand of cards
> ·         See who wins
> ·         Then discuss what is on the cards (I left it to them to ask
> questions rather than read aloud )

Interesting to discuss the cards after the game, but I like how it
keeps the game moving. I'll add that as a suggested alternative play
method to v1.02.

> A Question I could not answer was, are the vulnerabilities ranked by the
> number on the card, for the few I looked at I thought so e.g. ‘you have
> invented a new attack against Cryptography’ = Ace

Slightly yes, but the ranking would be organisation/application
specific, so this isn't a rule. I will add this as a FAQ.

> Card game wise we played a version of ‘21’ which reduces the number of cards
> to be discussed at the end of each round, that worked well however…

I will add this to "alternative game rules".

> Wondering, what card games others have used and did it effect how
> effectively folk learn …

So far only "trumps" and your "21" as far as I know. Hopefully we will
get some more feedback with time. Originally when I started thinking
about this, I wondered if some version of "trumps" might work, but I
cannot think how exactly. "Whist" might be possible too, where players
have partners - pairing up developrs and testers might be interesting.

> Is the number of cards in a hand significant in relation to how effectively
> you learn? Maybe not?

Probably not. The length of game needs to match how long attention can
be maintained, and splitting the game into several smaller games, over
a week or so, can work well too.

> With a security person in the room to answer questions and deal with further
> questions as the players elaborate on the real world issues, they currently
> face,
> I see this as an effective security training tool, I know the guidance and
> explanations are on the cards so it would work without a security person
> ‘mentoring the game’ but it is hard to tell how efficient this would be

I think including an application security person to begin with can
help facilitate the process, and avoid too much looking at referenced
items during the game.

> (Long term I would like to embed this in the development process, I am
> looking for maximum knowledge in a little time as possible, hopefully the
> training is built into Sprints via the sprint planning meeting, using the
> suites relevant to the Sprint ).

Yes, ultimately it is better if the teams become familiar with the
cards/process, so they use them as prompts in future by themselves.

> At the start of the game, as suggested, I selected the ‘suits’ most relevant
> to the work the teams were working on.
> As we worked our way through the deck we discarded the cards which we had
> already read and continued our way through the deck, eventually we ran out
> of cards and grabbed the 2 suits which we had discarded.

Useful to know.

> So 4 people 1.5 hour whole deck.
> Obviously we only discussed a few of the cards as a group.
> As part of a wider security training programme I think this works. It
> definitely stimulated debate (at times quite lively)


> Yes there were times that people were more interested in the card game than
> the training, I think it is best to accept this will happen, people learn
> better if they are alert and engaged so ………

Yes, people have different methods of working/learning.

> Background
> Only 1 of the 3 Guinea-pigs had previously seen the OWASP Secure Coding
> Practices Quick Reference Guide
> Lessons Learned
> (gambling, even for chips, may be an issue for some organisations / staff:
> need to think about this…)

Mmm, yes. I suppose just being seen to be "playing" could be a problem
in some environments too.

> Using ‘Hero Chocolates’ as chips was popular
> Awarding a Ginger Bread man as a Prize in addition to taking your winnings
> home gives you a way of finishing the session in theatrical fashion

> Group size, we were 4, interested to know what group sizes games others have
> tried. 4 seemed to work well I would say 5 maximum.
> Printing will always be a bit of a lottery. I use my home Kodak inkjet
> printer, set to best quality. Just an observation ,,,, it takes time to
> print out and push out the cards

I will add a note about allowing sufficient time to print.

> Next time I will run this through a Colour Laser printer in the office, as
> some of the suits were hard to read (background colour too pastel).

I will try to darken some suits, but I realise we are at the mercy of
inkjets and it isn't going to be good as professional printing on
proper coated card. Maybe once we are all more happy with the idea, we
can try to get some printed up properly - OWASP has put a bid in for
some .EU funding, and I submitted a proposal for designing/printing
these decks. If we get it, I'll send decks to everyone who contributes
to the project - and feedback is contributing. Ken, can I list you as
a "contributor" now?

> Opinions on the readability of the text varied from, ‘Hard to read’ to ‘just
> fine what are you talking about’! (probably fine for all on a laser printer)

As above! I wanted to keep the cross-referencing on the cards, even if
it is only used at a later time to flesh out the requirements. But I
did struggle to fit it all on, and hence the small size.

> Next step.
> Run 2 more training session alter this week
> Finally a big thank you to all who contributed to putting this together, it
> must have taken a lot of time.

Yes, but sort of fun too.



More information about the Owasp_cornucopia mailing list