Try the SEARCH function in the main navigation to find something. If you are looking for chapter information, please see Chapters for the correct chapter. For information about OWASP projects see Projects. For common attacks, vulnerabilities, or information about other community-led contributions see Contributed Content.
12 | 13 |If all else fails you can search our historical site.
15 |
15 |
16 | Cornucopia is developed, maintained, updated and promoted by a worldwide team of volunteers. The contributors to date have been:
17 |
18 | Please see [cornucuopia.owasp.org](https://cornucopia.owasp.org/about#Acknowledgements) for a full list.
19 |
20 | And please let us know if we have missed anyone.
21 |
--------------------------------------------------------------------------------
/tab_cards.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Cards
3 | displaytext: Get the Cards
4 | layout: null
5 | tab: true
6 | order: 1
7 | tags: cc
8 | ---
9 |
10 | ## Get the Cards
11 |
12 | 
13 |
14 | The primary source document is a [Word document](https://github.com/OWASP/cornucopia/releases/tag/v2.0.0).
15 |
16 | However, pre-printed card decks may be more useful, or there are links to the source design files for the cards themselves (see links underneath).
17 | You can also choose to play the OWASP Cornucopia Website App Edition and Mobile App Edition online at [copi.owasp.org](https://copi.owasp.org)
18 |
19 | ### Printed
20 |
21 | OWASP no longer has a stock of printed decks.
22 |
23 | OWASP does not endorse or recommend commercial products or services. However, [Agile Stationary](https://agilestationery.co.uk/) offer [large print (v2.0) web app decks](https://agilestationery.com/products/owasp-cornucopia-2-0-website-app-edition-threat-modeling-cards?_pos=2&_psq=cornucipia&_ss=e&_v=1.0) and [large print (v1.0) mobile app decks](https://agilestationery.com/products/owasp-cornucopia-mobile-app-edition-threat-modeling-cards?_pos=3&_psq=cornucip&_ss=e&_v=1.0). They also offer a [croupier](https://croupier.agilestationery.co.uk/) to help you distribute cards to team members. Also, [dotNET lab](https://www.dotnetlab.eu/) sell a [printed deck](https://webshop.dotnetlab.eu/product/cornucopia-card-deck/) which complements their [online reference](https://cornucopia.dotnetlab.eu/cards).
24 |
25 | ### Print your own
26 |
27 | There are many ways to print copies of the card decks yourself:
28 |
29 | 1. Download the free Adobe Illustrator files and get them professionally printed;
30 | 1. Print the Word document onto business card blanks;
31 | 1. Print the Word document onto normal card and cut the cards out individually using the guide; or
32 | 1. Generate your own cards from the free source XML data file in the repository.
33 |
34 | For instructions on printing your own decks, please go to [cornucopia.owasp.org](https://cornucopia.owasp.org/printing)
35 |
36 | ### Source files
37 |
38 | Source code to generate the Word document, PDFs and InDesign files for printing are maintained in our [Github repository](https://github.com/OWASP/cornucopia/releases)
39 |
--------------------------------------------------------------------------------
/tab_faqs.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: FAQs
3 | displaytext: Frequently Asked Questions
4 | layout: null
5 | tab: true
6 | order: 3
7 | tags: cc
8 | ---
9 |
10 | ## Frequently Asked Questions
11 |
12 | 
13 |
14 | ### Can I copy or edit the game?
15 | Yes of course. All OWASP materials are free to do with as you like provided you comply with the Creative Commons Attribution-ShareAlike 3.0 license. Perhaps if you create a new version, you might donate it to the OWASP Cornucopia Project?
16 | ### How can I get involved?
17 | Please send ideas or offers of help to the project’s List/Group.
18 | ### How were the attackers’ names chosen?
19 | EoP begins every description with words like "An attacker can...". These have to be phrased as an attack but I was not keen on the anonymous terminology, wanting something more engaging, and therefore used personal names. These can be thought of as external or internal people or aliases for computer systems. But instead of just random names, I thought how they might reflect the OWASP community aspect. Therefore, apart from "Alice and Bob", the original Ecommerce Website Edition used the given (first) names of current and recent OWASP employees and Board members (assigned in no order), and then randomly selected the remaining 50 or so names from the current list of paying individual OWASP members. No name was used more than once, and where people had provided two personal names, we dropped one part to try to ensure no-one can be easily identified. Names were not deliberately allocated to any particular attack, defence or requirement. The cultural and gender mix simply reflects theses sources of names, and is not meant to be world-representative. Some names have been changed over the years to include some more recent project volunteers.
20 | ### Why aren’t there any images on the card faces?
21 | There is quite a lot of text on the cards, and the cross-referencing takes up space too. But it would be great to have additional design elements included.
22 | ### Are the attacks ranked by the number on the card?
23 | Only approximately. The risk will be application and organisation dependent, due to varying security and compliance requirements, so your own severity rating may place the cards in some other order than the numbers on the cards.
24 |
25 | 
26 |
27 | ### How long does it take to play a round of cards using the full deck?
28 | This depends upon the amount of discussion and how familiar the players are with application security concepts. But perhaps allow 1.5 to 2.0 hours for 4-6 people.
29 | ### What sort of people should play the game?
30 | Always try to have a mix of roles who can contribute alternative perspectives. But include someone who has a reasonable knowledge of application vulnerability terminology. Otherwise try to include a mix of architects, developers, testers and a relevant project manager or business owner.
31 | ### Who should take notes and record scores?
32 | It is better if that someone else, not playing the game, takes notes about the requirements identified and issues discussed. This could be used as training for a more junior developer, or performed by the project manager. Some organisations have made a recording to review afterwards when the requirements are written up more formally.
33 | ### Should we always use the full deck of cards?
34 | No. A smaller deck is quicker to play. Start your first game with only enough cards for two or three rounds. Always consider removing cards that are not appropriate at all of the target application or function being reviewed. For the first few times people play the game it is also usually better to remove the Aces and the two Jokers. It is also usual to play the game without any trumps suit until people are more familiar with the idea.
35 | ### What should players do when they have an Ace card that says “invented a new X attack”?
36 | The player can make up any attack they think is valid, but must match the suit of the card e.g. data validation and encoding). With players new to the game, it can be better to remove these to begin with.
37 | ### I don’t understand what the attack means on each card - is there more detailed information?
38 | Yes, the card browser on our website has more information on what each card means. The website was created to help players understand the attacks. See [cornucopia.owasp.org](https://cornucopia.owasp.org/cards).
39 |
--------------------------------------------------------------------------------
/tab_play.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Play
3 | displaytext: How to Play
4 | layout: null
5 | tab: true
6 | order: 2
7 | tags: cc
8 | ---
9 |
10 | ## How to Play
11 |
12 | Please visit [cornucopia.owasp.org](https://cornucopia.owasp.org/how-to-play)
13 |
--------------------------------------------------------------------------------
/tab_roadmap.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Roadmap
3 | displaytext: Road Map and Getting Involved
4 | layout: null
5 | tab: true
6 | order: 5
7 | tags: cc
8 | ---
9 |
10 | ## Road Map
11 |
12 | ### v2.x
13 |
14 | Below is a preliminary summary of our wishes, dreams and aspirations for Cornucopia. If you have suggestions, ideas, please feel free to discuss them on our [email list](https://groups.google.com/a/owasp.org/g/cornucopia-project) or submit them to our [list of issues](https://github.com/OWASP/cornucopia/issues) in our repository.
15 | If you feel like and have the oportunity to help with any of the issues below, do not hesitate to get in touch.
16 |
17 | Ordered alphabeticly and not according to priority.
18 |
19 | - Build the requirement map on the card using OpenCRE for easier maintainence and collaboration. [cornucopia #595](https://github.com/OWASP/cornucopia/issues/595)
20 | - Endpoint per card with more information available on copi. [copi #6](https://github.com/secure-delivery/copi/issues/6)
21 | - Ensure the converter can create print-ready proofs for print-on-demand jobs. [](https://github.com/OWASP/cornucopia/issues/583)
22 | - Include QR codes on the Cornucopia cards. [cornucopia #382](https://github.com/OWASP/cornucopia/issues/382)
23 | - Language review of the existing translations. [cornucopia #596](https://github.com/OWASP/cornucopia/issues/596)
24 | - Migrate the wiki deck to github wiki. [cornucopia #1](https://github.com/OWASP/www-project-cornucopia/issues/1)
25 | - Seek worldwide translators and incorporate additional translations for other languages.
26 |
27 | ## Getting Involved
28 |
29 | 
30 |
31 | Involvement in the development and promotion of Cornucopia is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help are listed below.
32 |
33 | ### Localization
34 |
35 | Are you fluent in another language? Can you help translate Cornucopia into that language? Note this is a very large task due to the number of documents involved, but the strings are now all available in textual data files.
36 |
37 | ### Use and Promote the Cornucopia Card Decks
38 |
39 | Please help raise awareness of Cornucopia by:
40 | * Printing dcks of cards and giving them away
41 | * Using Cornucopia with specifiers, architects, designers, developers, testers and others, in part to train them, but also to solicit feedback on their usability, practicality and appropriateness for their work
42 | * Creating videos about how to play the game
43 | * Developing a mobile app to play the game
44 |
45 | ### Feedback
46 |
47 | 
48 |
49 | Please use the friendly project [Google Group](https://groups.google.com/a/owasp.org/forum/#!forum/cornucopia-project) for feedback:
50 |
51 | * What do like?
52 | * What don't you like?
53 | * What cards don't make sense?
54 | * How could the guidance be improved?
55 | * What other decks would you like to see?
56 |
57 | ### Keep the Cards Updated
58 |
59 | As the source referenced documents change, we have to update the decks. You may also find errors and omissions. In the first instance, please send a message to the project's [Google Group](https://groups.google.com/a/owasp.org/forum/#!forum/cornucopia-project) if you have identified errors & omissions, have some time to maintain the source documents, or can help in other ways.
60 |
61 | ### Create a New Deck
62 |
63 | The first deck, Cornucopia Ecommerce Website Edition, has been renamed Cornucopia Website App Edition and is currently available in six languages. There is also a mobile app specific deck called Cornucopia Mobile App Edition available in English only. Do you have an idea for your own application security requirements card deck?
64 |
--------------------------------------------------------------------------------