Free Delivery on orders above £50 for our US and Europe customers
1 2

OWASP® Cornucopia 2.0 Website App Edition - Threat Modeling Cards

£20.00

Description

OWASP® Cornucopia 2.0 is an updated threat modeling tool in the form of a card game designed to help software development teams identify security requirements in Agile, conventional, and formal development processes.

The deck contains 80 tarot-style cards, each representing a common error or anti-pattern based on data from OWASP experts, that allows systems to be vulnerable to attack . The cards are divided into six suits: Data Validation and Encoding, Authentication, Session Management, Authorization, Cryptography, and a catch-all "Cornucopia" suit.

This tool is accessible to all skill levels, from beginners to security experts, and aligns with widely-recognized standards such as OWASP ASVS, MASVS, MASTG, SAFECode, SCP, and CAPEC. This version contains the updated OWASP ASVS Mapping, aligned with ASVS v4.0.

Also available in a mobile edition!

OWASP is a registered trademark of the OWASP Foundation.

Bulk Pricing

Automatically applied at checkout:

Buy Discount
5 or more decks 10% off
10 or more decks 15% off
20 or more decks 20% off
30 or more decks 30% off

Outcome

Identify work that needs doing earlier in the project lifecycle. Defuse difficult relationships. Build trust. Bring teams together in peace and harmony.

Made by Agile Stationery

Experts in delivering the right kind of conversations. Slick cards in robust boxes. The best there is outside the casinos.

Specifications
  • Suits
    Data Validation and Encoding, Authentication, Session Management, Authorization, Cryptography, Cornucopia
  • # Cards
    80
  • Created by
    Colin Watson

Try a branded version

If you'd like to encourage the use of this technique within your team or organisation, a branded deck is a great way to demonstrate your support and commitment to the process.

Quick Guide to Playing Cornucopia

1. Set the Scene: Pick a feature or app. Bring visuals (diagrams, stories). Gather 3 to 6 people including devs, testers, product folks, and ideally someone with security knowledge.

2. Deal the Cards: Shuffle the deck. Remove Jokers and low-numbered Cornucopia cards (2 to 4s). Deal the rest evenly.

3. Start Playing: Take turns playing cards. Stick to the same suit if possible. Read your card aloud and say how the threat might apply, no need to solve it yet. Highest card of the suit wins, unless trumped by a Cornucopia card. Winner starts the next round.

4. Score: +1 for a valid threat, +1 if your card wins the round. Most points wins.

5. Wrap-Up: Review threats, map to security standards, and turn them into backlog items.

Tip: have someone take notes for later use.

Cornucopia Starter tips

  • Top 5 tips

  • Keep it simple to begin with

    Remove Aces and Jokers until the team is familiar with the game flow. You can reintroduce them once everyone’s more confident.

  • Start with a fictional app

    Use an imaginary or future application to practise. It lowers the stakes and lets people focus on learning the method, not worrying about real issues.

  • Tailor the deck to your tech stack

    Remove cards that don’t apply. Or focus on cards relevant to specific standards like PCI DSS or ISO 27001.

  • Keep sessions manageable

    For short time slots, use just one suit to narrow focus, play a single round per day or sprint, or pre-select a few cards that relate to your current work or sprint goals

  • Encourage input

    If someone misses a valid threat, invite others to contribute. Reward sharp insights with bonus points to keep it fun and collaborative.

Hybrid teams? No problem

We developed a style of play where everyone has the physical deck, but plays the game through video conferencing.

Why? How?
Back to top