[Owasp_cornucopia] Fwd: Corncupia vs EOP

Colin Watson colin.watson at owasp.org
Mon Jul 23 09:46:56 UTC 2018


Amit

Cornucopia continues to be improved, updated and promoted. The greatest
effort recently has been in transalating the game into other languages by
many generous volunteers who we need to thank again. Only last week you'll
see some information from Wagner and Emerson about a talk they presented at
a conference recently.

Regarding usage, I would say Cornucopia is only relevant to web
applications, and as the full name suggests it is has particular emphasis
on ecommerce applications. So those are not sector specific, but perhaps
they tend to be business-to-consumer (B2C) and consumer-to-consumer (C2C)
web applications than B2B. There is feedback from other people on this
mailing list, and that together with feedback at presentations and games
sessions has been used to update the instructions, rules, notes,
alternative play/rules and a few of the cards themselves. If you search
Twitter you will also find some third-party comments.

Colin


On 15 July 2018 at 11:05, Amit Agarwal <amitmnagarwal at gmail.com> wrote:

> Thanks Colin for the reply.
>
> Is there anything work going on enhancement of the current version of
> Cornucopia.
>
> Also any info, about its usage across Industry and real practical feedback
> of the tool ?
>
> On Sun, Jul 15, 2018 at 9:19 AM, Colin Watson <colin.watson at owasp.org>
> wrote:
>
>> Amit
>>
>> Cornucopia is mapped to ASVS. Not every item in Cornucopia exists in ASVS.
>>
>> Colin
>>
>>
>>
>>
>> On 14 July 2018 at 20:31, Amit Agarwal <amitmnagarwal at gmail.com> wrote:
>>
>>> Thanks for the reply.
>>>
>>> Playing both would be a big ask from the projects who are always shying
>>> away from security
>>>
>>> Also how does it compare against OWASP ASVS.
>>>
>>> I guess both serve the same purpose.
>>>
>>> On Mon, 9 Jul 2018, 5:39 pm Colin Watson, <colin.watson at owasp.org>
>>> wrote:
>>>
>>>> Hello Amit
>>>>
>>>> Thanks for your interest in OWASP Cornucopia.
>>>>
>>>> As you noted it is based on Microsoft's Elevation of Privilege (EoP)
>>>> card game, but while that was developed for threat modelling of Microsoft's
>>>> products like SQL Server, Cornucopia is solely focused on web application
>>>> threat modelling. So if you are working with web applications, try
>>>> Cornucopia first. But you may gain some alternative insights into your
>>>> projects following the STRIDE approach of EoP too. Play both!
>>>>
>>>> Regarding the project, the content has gone through a number of
>>>> iterations, so the focus more recently has been on promoting it and getting
>>>> it translated into other languages. Those are not small tasks in themselves
>>>> and we look forward to further updates in due course. The recent work to
>>>> complete a French translation has been marvellous, and there is work in
>>>> progress for Portuguese and Spanish.
>>>>
>>>> Regards
>>>>
>>>> Colin
>>>>
>>>>
>>>>
>>>>
>>>> On 9 July 2018 at 16:30, Amit Agarwal <amitmnagarwal at gmail.com> wrote:
>>>>
>>>>>
>>>>>
>>>>>
>>>>> Hi Dario/Colin,
>>>>>
>>>>> Thanks for the wonderful project.
>>>>>
>>>>> I am a bit confused between the two.
>>>>>
>>>>> Which one should be preferred?
>>>>>
>>>>> Also I observed, the project has not gone any updates since a year.
>>>>>
>>>>> It active or gone dormant ?
>>>>>
>>>>> Thanks
>>>>> Amit
>>>>>
>>>>> _______________________________________________
>>>>> Owasp_cornucopia mailing list
>>>>> Owasp_cornucopia at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp_cornucopia
>>>>>
>>>>>
>>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_cornucopia/attachments/20180723/d84c00c0/attachment.html>


More information about the Owasp_cornucopia mailing list