Threat modeling for everyone everywhere

Uncover the security flaws in your software's design before the bad guys do it for you! Get your team together on a call or in a room and use OWASP Cornucopia Web & Mobile card decks to guide your threat modelling.

OWASP Cornucopia
WILD CARD
Joker

Alice can utilize the application to attack users' systems and data

CORNUCOPIA
7

Mwengu's actions cannot be investigated because there is not an adequate accurately time-stamped record of security events, or there is not a full audit trail, or these can be altered or deleted by Mwengu, or there is no centralized logging service

OWASP SCP

194,195,196,197,198,199,200,201,202,205,206,207,208,209

OWASP ASVS

14.1.2

OWASP AppSensor

CAPEC

-

SAFECODE

3,5,6,7,9,22,25,26,34

CRYPTOGRAPHY
6

Romain can read and modify unencrypted data in memory or in transit (e.g. cryptographic secrets, credentials, session identifiers, personal and commercially-sensitive data), in use or in communications within the application, or between the application and users, or between the application and external systems

OWASP SCP

105,133,135

OWASP ASVS

6.2.2

OWASP AppSensor

CAPEC

-

SAFECODE

21,29

AUTHORIZATION
5

Chad can access resources (including services, processes, AJAX, Flash, video, images, documents, temporary files, session data, system properties, configuration data, registry settings, logs) he should not be able to due to missing authorization, or due to excessive privileges (e.g. not using the principle of least privilege)

OWASP SCP

44

OWASP ASVS

4.1.3,4.2.1,5.1.5

OWASP AppSensor

CAPEC

-

SAFECODE

8,10,11

SESSION MANAGEMENT
4

Alison can set session identification cookies on another web application because the domain and path are not restricted sufficiently

OWASP SCP

58,59

OWASP ASVS

3.7.1

OWASP AppSensor

SE2

CAPEC

-

SAFECODE

28

DATA VALIDATION & ENCODING
3

Robert can input malicious data because the allowed protocol format is not being checked, or duplicates are accepted, or the structure is not being verified, or the individual data elements are not being validated for format, type, range, length and a whitelist of allowed characters or formats

OWASP SCP

47,52

OWASP ASVS

2.5.2,7.1.2,7.1.4,7.2.1,8.2.1,8.2.2,8.2.3,8.3.6

OWASP AppSensor

UT1

CAPEC

-

SAFECODE

28

AUTHENTICATION
2

James can undertake authentication functions without the real user ever being aware this has occurred (e.g. attempt to log in, log in with stolen credentials, reset the password)

OWASP SCP

69,107,108,109,136,137,153,156,158,162

OWASP ASVS

1.6.4,2.10.4,4.3.2,7.1.1,10.2.3,14.1.1,14.2.2,14.3.3

OWASP AppSensor

HT1,HT2,HT3

CAPEC

-

SAFECODE

4,23

go-down
Introduction

The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, to identify application security requirements and develop security-based user stories.

OWASP Cornucopia is an easy way to introduce the practice of threat modeling in a software development team. Playing the card game encourages the development team to actively think about the kind of threats that can emerge when creating software. This empowers teams to independently secure their applications while building them. Doing so embraces the shift-left strategy, where security becomes an integrated part of the development cycle.

➔ Read more
How to start

To start using Cornucopia:

  1. Either obtain or buy a pre-printed deck of cards;
  2. Or: Download the free Adobe Illustrator files and get them professionally printed (see: printing instructions);
  3. Or: Play the game online at copi.owasp.org.
  4. Identify an application, module or component to assess.
  5. Invite business owners, architects, developers, testers along for a card game.
  6. Get those infosec folk to provide chocolate, pizza, beer, flowers or all four as prizes.
  7. Select a portion of the deck to start with.
  8. Play the game to discuss & document security requirements (and to win rounds).
  9. Remember, to have fun!
➔ How to play
Open source

There are a large number of source design files for the cards themselves in various languages and formats. These design files together with the source code to generate the Word document, PDFs and InDesign files for printing are maintained in our Github repository.

One of the main advantages of the OWASP Cornucopia card game being open source is that it allows anyone to access and use the game without any licensing fees or restrictions. This encourages widespread adoption and makes it easier for teams to integrate the game into their security practices. Additionally, being open source means that the game is transparent and customizable. Teams can modify the game to suit their specific needs and address the security threats that are most relevant to their applications. They can also contribute back to the game's development by submitting new cards or improvements. Furthermore, open source software tends to have a large and active community of developers who contribute to the codebase and offer support. This can lead to faster bug fixes and updates, ensuring that the game remains relevant and effective in identifying security threats.

View source on Github ➔

OWASP Cornucopia

  • OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology-agnostic, and is free to use.
  • OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar licence to this one.
  • © 2012-2025 OWASP Foundation. The Open Worldwide Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software.

OWASP and the OWASP logo are trademarks of the OWASP Foundation

Last update was Fri, 31 Jan 2025 15:29:51 GMT

Licensing information | Acknowledgements | Q & A | Roadmap

© OWASP Foundation 2025 rss | Sitemap