Free Delivery on orders above £75 for our US and Europe customers
1 2

OWASP® Cornucopia 3.0 Website App Edition - Threat Modeling Cards

£20.00

Description

OWASP® Cornucopia is a threat modeling tool in the form of a card game designed to help software development teams identify security requirements in Agile, conventional, and formal development processes.

The deck is widely used in secure design workshops, architecture reviews, and Agile development teams, providing a simple way to introduce application security thinking early in the development process.

Each card represents a potential security concern or attack pattern, prompting discussion about how a system might be misused and what controls should be considered.

OWASP is a registered trademark of the OWASP Foundation.

Bulk Pricing

Automatically applied at checkout:

Buy Discount
5 or more decks 5% off
10 or more decks 10% off
20 or more decks 20% off
30 or more decks 30% off

Specifications
  • Suits
    Data Validation and Encoding, Authentication, Session Management, Authorization, Cryptography, Cornucopia
  • # Cards
    80
  • Created by
    Colin Watson

Try a branded version

If you'd like to encourage the use of this technique within your team or organisation, a branded deck is a great way to demonstrate your support and commitment to the process.

What's new in version 3.0?

Version 3.0 is a significant update to the Cornucopia deck, bringing the content up to date with modern application security standards and expanding the range of threats covered. Key improvements include:

Alignment with OWASP ASVS 5.0
The cards now map to the latest version of the OWASP Application Security Verification Standard, helping teams align threat modelling discussions with recognised security requirements.

Expanded Attack Pattern Coverage
Version 3.0 links the cards to over 210 CAPEC attack patterns, giving broader and deeper coverage of common attack techniques.

Updated Card Content
Many cards have been revised to reflect today’s threat landscape and modern development practices.

Improved Digital Integration
QR codes on the cards link directly to detailed guidance on the Cornucopia website, making it easier to explore security requirements and learn more during workshops.

Quick Guide to Playing Cornucopia

1. Set the Scene: Pick a feature or app. Bring visuals (diagrams, stories). Gather 3 to 6 people including devs, testers, product folks, and ideally someone with security knowledge.

2. Deal the Cards: Shuffle the deck. Remove Jokers and low-numbered Cornucopia cards (2 to 4s). Deal the rest evenly.

3. Start Playing: Take turns playing cards. Stick to the same suit if possible. Read your card aloud and say how the threat might apply, no need to solve it yet. Highest card of the suit wins, unless trumped by a Cornucopia card. Winner starts the next round.

4. Score: +1 for a valid threat, +1 if your card wins the round. Most points wins.

5. Wrap-Up: Review threats, map to security standards, and turn them into backlog items.

Tip: have someone take notes for later use.

Cornucopia Starter tips

  • Top 5 tips

  • Keep it simple to begin with

    Remove Aces and Jokers until the team is familiar with the game flow. You can reintroduce them once everyone’s more confident.

  • Start with a fictional app

    Use an imaginary or future application to practise. It lowers the stakes and lets people focus on learning the method, not worrying about real issues.

  • Tailor the deck to your tech stack

    Remove cards that don’t apply. Or focus on cards relevant to specific standards like PCI DSS or ISO 27001.

  • Keep sessions manageable

    For short time slots, use just one suit to narrow focus, play a single round per day or sprint, or pre-select a few cards that relate to your current work or sprint goals

  • Encourage input

    If someone misses a valid threat, invite others to contribute. Reward sharp insights with bonus points to keep it fun and collaborative.

Hybrid teams? No problem

We developed a style of play where everyone has the physical deck, but plays the game through video conferencing.

Why? How?
Back to top