The Card Decks

Both current decks have six suits and there are also two Joker cards. Each suit contains 13 cards (Ace, 2-10, Jack, Queen and King). This page contains the card browser where you can browse through each of the cards in the OWASP Cornucopia decks.

data-validation-&-encoding VE2

data-validation-&-encoding VE3

data-validation-&-encoding VE4

data-validation-&-encoding VE5

data-validation-&-encoding VE6

data-validation-&-encoding VE7

data-validation-&-encoding VE8

data-validation-&-encoding VE9

data-validation-&-encoding VEA

data-validation-&-encoding VEJ

data-validation-&-encoding VEK

data-validation-&-encoding VEQ

data-validation-&-encoding VEX

authentication AT2

authentication AT3

authentication AT4

authentication AT5

authentication AT6

authentication AT7

authentication AT8

authentication AT9

authentication ATA

authentication ATJ

authentication ATK

authentication ATQ

authentication ATX

session-management SM2

session-management SM3

session-management SM4

session-management SM5

session-management SM6

session-management SM7

session-management SM8

session-management SM9

session-management SMA

session-management SMJ

session-management SMK

session-management SMQ

session-management SMX

authorization AZ2

authorization AZ3

authorization AZ4

authorization AZ5

authorization AZ6

authorization AZ7

authorization AZ8

authorization AZ9

authorization AZA

authorization AZJ

authorization AZK

authorization AZQ

authorization AZX

cryptography CR2

cryptography CR3

cryptography CR4

cryptography CR5

cryptography CR6

cryptography CR7

cryptography CR8

cryptography CR9

cryptography CRA

cryptography CRJ

cryptography CRK

cryptography CRQ

cryptography CRX

cornucopia C2

cornucopia C3

cornucopia C4

cornucopia C5

cornucopia C6

cornucopia C7

cornucopia C8

cornucopia C9

cornucopia CA

cornucopia CJ

cornucopia CK

cornucopia CQ

cornucopia CX

wild-card JOA

wild-card JOB

Website App version

For the previously called Ecommerce Website Edition. Instead of EoP’s STRIDE suits, the suits were selected based on the structure of the OWASP Secure Coding Practices - Quick Reference Guide (SCP). The content was mainly drawn from the SCP but with additional consideration of sections in the OWASP Application Security Verification Standard, the OWASP Web Security Testing Guide and David Rook's Principles of Secure Development. These provided five suits, and a sixth called “Cornucopia” was created for everything else:

└── DATA VALIDATION & ENCODING

└── AUTHENTICATION

└── SESSION MANAGEMENT

└── AUTHORIZATION

└── CRYPTOGRAPHY

└── CORNUCOPIA

└── WILD CARD

DATA VALIDATION & ENCODING
2

Brian can gather information about the underlying configurations, schemas, logic, code, software, services and infrastructure due to the content of error messages, or poor configuration, or the presence of default installation files or old, test, backup or copies of resources, or exposure of source code

OWASP SCP

69,107,108,109,136,137,153,156,158,162

OWASP ASVS

1.6.4,2.10.4,4.3.2,7.1.1,10.2.3,14.1.1,14.2.2,14.3.3

OWASP AppSensor

HT1,HT2,HT3

CAPEC

-

SAFECODE

4,23

OWASP Cornucopia

  • OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology-agnostic, and is free to use.
  • OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar licence to this one.
  • © 2012-2025 OWASP Foundation. The Open Worldwide Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software.

OWASP and the OWASP logo are trademarks of the OWASP Foundation

Last update was Fri, 31 Jan 2025 15:29:58 GMT

Licensing information | Acknowledgements | Q & A | Roadmap

© OWASP Foundation 2025 rss | Sitemap