diff --git a/.wordlist-en.txt b/.wordlist-en.txt index 9593e700..c06cc9d5 100644 --- a/.wordlist-en.txt +++ b/.wordlist-en.txt @@ -20,6 +20,7 @@ AppSec AppSensor Arithmatex Atlassian +authorisation BOLA BOM BOMs @@ -93,6 +94,7 @@ ECB ECMA EE ENISA +EoP ESAPI Ebihara Ecommerce @@ -300,6 +302,7 @@ SuperFences Sydseter Symfony TCP +th TLS TMBOM TOCTOU diff --git a/docs/en/04-design/01-threat-modeling/04-cornucopia.md b/docs/en/04-design/01-threat-modeling/04-cornucopia.md index 10e890cb..89280982 100644 --- a/docs/en/04-design/01-threat-modeling/04-cornucopia.md +++ b/docs/en/04-design/01-threat-modeling/04-cornucopia.md @@ -1,149 +1,66 @@ ![Cornucopia logo](../../../assets/images/logos/cornucopia.png "OWASP Cornucopia"){ align=right width=180 } -OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security +#### What is Cornucopia? + +OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams in identifying security requirements in Agile, conventional and formal development processes. It is language, platform and technology-agnostic. -The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, to identify application +The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, identify application security requirements and develop security-based user stories. [Cornucopia][cornucopia] is an OWASP production project. The cards can be [downloaded][cornucopia-cards] and printed or [bought online][online] from its website. -It is also possible to play OWASP Cornucopia online using the cornucopia game engine called [Copi][copi]. Using the -[online game engine][copi], it is possible to play: - -* [OWASP Cornucopia Website App][start-game] to gamify threat modeling and requirement analysis for website apps -* [OWASP Cornucopia Mobile App][start-game] to gamify threat modeling and requirement analysis for mobile apps -* [Elevation of Privilege][eop] to do general threat modeling -* [Elevation of MLSec][mlsec] for threat modeling applications that uses machine learning or Gen AI -* [OWASP Cumulus][cumulus] for threat model cloud infrastructure - -#### What is Cornucopia? - -Cornucopia provides a [set of cards][cornucopia-browser] designed to gamify threat modeling activities, -helping agile development teams to identify weaknesses in applications and then record remediations or requirements. - -There are three versions of the Cornucopia deck of threat modeling cards: - -* Website App Edition -* Mobile App Edition -* Enterprise App Edition (legacy) - -The decks come with several suits according to the application, and always contain an overall 'Cornucopia' suit. - -Cornucopia can be played in many different ways, there is no one way, -and there is a suggested [set of rules][cornucopia-play] to start the game off. -Cornucopia provides a [score sheet][cornucopia-score] to can help keep track of the game session and to record outcomes. - -#### Website App Edition - -Each card in the Website App deck describes a common error or anti-pattern that allows systems to be vulnerable to attack. -Vulnerabilities are arranged in domains as five suits with the additional Cornucopia suit ranging across these domains: - -* Data Validation and Encoding -* Authentication -* Session Management -* Authorization -* Cryptography -* Cornucopia - -To provide context the Cornucopia Website App cards reference other projects: +It is also possible to play OWASP Cornucopia online using the cornucopia game engine called [Copi][copi]. +The game engine also has a broad selection of other EoP-related games. -* OWASP Application Security Verification Standard ([ASVS][asvs]) -* OWASP Developer Guide ([Web Application Checklist][devguide]) -* STRIDE -* MITRE's Common Attack Pattern Enumeration and Classification ([CAPEC][capec]) -* [SAFEcode][safecode] - -#### Mobile App Edition - -Similarly to the website application deck, the mobile application deck has five domains/suits, -with Cornucopia cross domain: - -* Platform and Code -* Authentication and Authorization -* Network and Storage -* Resilience -* Cryptography -* Cornucopia - -For context the Cornucopia Mobile App cards reference these other projects: - -* OWASP Mobile Application Security Verification Standard ([MASVS][masvs]) -* OWASP Mobile Application Security Testing Guide ([MASTG][mastg]) -* MITRE's Common Attack Pattern Enumeration and Classification ([CAPEC][capec]) -* [SAFEcode][safecode] - -#### Ecommerce Website Edition +#### Why use it? -This is the original Cornucopia deck and has the same domains/suits, including the Cornucopia cross domain suit, -as the Website App Edition. Some of the vulnerabilities are specific to Ecommerce, -but it references the same projects as the website edition. +The [OWASP Cornucopia][cornucopia] card game is designed to help developers think about possible threats in a solution +design, and derive a set of security requirements to build against. Team members are each dealt cards that describe +particular threats. They then take turns trying to make a case for their particular threat, posing a risk to the solution +design, scoring points if they are able to do so. -#### Why use it? +OWASP Cornucopia uses threats grouped into areas that are particularly relevant to software developers, such as AI, +authentication, authorisation, cloud, data validation & encoding, DevOps, and frontend (client-side development). +The threats are derived from various standards, OWASP Top 10 lists, guides, +and other lists. For a full list and to find out how you can acquire and +play their list of games, see their website at +[cornucopia.owasp.org][mapping]. Cornucopia is useful for both requirements analysis and threat modeling, providing gamification of these activities within the development lifecycle. -It is targeted towards agile development teams and provides a different perspective to these tasks. +It is targeted towards agile development teams and provides a different perspective on these tasks. The outcome of the game is to identify possible threats and propose remediations. #### How to use Cornucopia +Cornucopia can be played in many different ways; there is no one way, +and there is a suggested [set of rules][cornucopia-play] to start the game off. +[OWASP Threat Dragon][threat-dragon] also has a diagram called "EoP Games" that allows the players to link the card that +scores directly to a threat model to simplify security requirement analysis. + The OWASP Spotlight series provides an excellent overview of Cornucopia and how it can be used for gamification: 'Project 16 - [Cornucopia][spotlight16]'. [Videos on the OWASP Cornucopia website][cornucopia-play] also demonstrate several -ways the game can be utilized. - -Ideally Cornucopia is played in person using physical cards, -with the development team and security architects in the same room. -The application should already have been described by an architecture diagram or data flow diagram -so that the players have something to refer to during the game. - -The suggested order of play is: - -1. Pre-sort: the deck, some cards may not be relevant for the web application -2. Deal: the cards equally to the players -3. Play: the players take turns to select a card -4. Describe: the player describes the possible attack using the card played -5. Convince: the other players have to be convinced that the attack is valid -6. Score: award points for a successful attack -7. Follow suit: the next player has to select a card from the same suit -8. Winner: the player with the most points -9. Follow up: each valid threat should be recorded and acted upon - -Remember that the outcome of the game is to identify possible threats and propose remediations, -as well as having a good time. +ways the game can be utilized. There is also a [OWASP 25th Anniversary Video][owasp25th] that gives a short presentation on +the games and how to use them. #### References -* Application Security Verification Standard, [ASVS][asvs] -* Common Attack Pattern Enumeration and Classification, [CAPEC][capec] -* [Cornucopia][cornucopia] -* Mobile Application Security Verification Standard, [MASVS][masvs]) -* Mobile Application Security Testing Guide, [MASTG][mastg]) -* [SAFEcode][safecode] +* [OWASP Cornucopia Website][cornucopia] * [Spotlight][spotlight16] on Cornucopia -* OWASP Developer Guide ([Web Application Checklist][devguide]) ---- The OWASP Developer Guide is a community effort; if there is something that needs changing then [submit an issue][issue060104] or [edit on GitHub][edit060104]. -[asvs]: https://owasp.org/www-project-application-security-verification-standard/ -[capec]: https://capec.mitre.org/ [cornucopia]: https://cornucopia.owasp.org -[cornucopia-browser]: https://cornucopia.owasp.org/cards [cornucopia-cards]: https://cornucopia.owasp.org/printing#Current-printable-version -[cornucopia-score]: https://owasp.org/www-project-cornucopia/assets/files/Cornucopia-scoresheet.pdf [cornucopia-play]: https://cornucopia.owasp.org/how-to-play [copi]: https://copi.owasp.org -[cumulus]: https://github.com/OWASP/cumulus -[eop]: https://github.com/adamshostack/eop [edit060104]: https://github.com/OWASP/DevGuide/blob/main/docs/en/04-design/01-threat-modeling/04-cornucopia.md [issue060104]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2004-design/01-threat-modeling/04-cornucopia -[mastg]: https://mas.owasp.org/MASTG/ -[masvs]: https://mas.owasp.org/MASVS/ -[mlsec]: https://github.com/kantega/elevation-of-mlsec +[mapping]: https://cornucopia.owasp.org/about#Mappings [online]: https://cornucopia.owasp.org/webshop -[safecode]: https://safecode.org/ -[devguide]: https://devguide.owasp.org/en/04-design/02-web-app-checklist/ +[owasp25th]: https://www.youtube.com/watch?v=KmjUM0EF_24 [spotlight16]: https://youtu.be/NesxjEGX58s -[start-game]: https://copi.owasp.org/games/new +[threat-dragon]: https://www.threatdragon.com