Questions & Answers

Can I copy or edit the game?

Yes of course. All OWASP materials are free to do with as you like provided you comply with the Creative Commons Attribution-ShareAlike 3.0 license. Perhaps if you create a new version, you might donate it to the OWASP Cornucopia Project?

How can I get involved?

If you have questions, suggestions or ideas, please feel free to discuss them on our email list or submit them to our list of issues in our repository. If you feel like and have the opportunity to help, do not hesitate to get in touch with us.

How were the attackers’ names chosen?

EoP begins every description with words like "An attacker can...". These have to be phrased as an attack, but I was not keen on the anonymous terminology, wanting something more engaging, and therefore used personal names. These can be thought of as external or internal people or aliases for computer systems. But instead of just random names, I thought how they might reflect the OWASP community aspect. Therefore, apart from "Alice and Bob", the original Ecommerce Website Edition used the given (first) names of current and recent OWASP employees and Board members (assigned in no order), and then randomly selected the remaining 50 or so names from the current list of paying individual OWASP members. No name was used more than once, and where people had provided two personal names, we dropped one part to try to ensure no-one can be easily identified. Names were not deliberately allocated to any particular attack, defence or requirement. The cultural and gender mix simply reflects theses sources of names and is not meant to be world-representative. Some names have been changed over the years to include some more recent project volunteers.

Why aren’t there any images on the card faces?

There is quite a lot of text on the cards, and the cross-referencing takes up space too. But it would be great to have additional design elements included. Please get in touch with us if you would like to contribute.

Are the attacks ranked by the number on the card?

Only approximately. The risk will be application and organisation dependent, due to varying security and compliance requirements, so your own severity rating may place the cards in some other order than the numbers on the cards.

How long does it take to play a round of cards using the full deck?

This depends upon the amount of discussion and how familiar the players are with application security concepts. But perhaps allow 1.5 to 2.0 hours for 4-6 people.

What sort of people should play the game?

Always try to have a mix of roles who can contribute alternative perspectives. But include someone who has a reasonable knowledge of application vulnerability terminology. Otherwise try to include a mix of architects, developers, testers and a relevant project manager or business owner.

Who should take notes and record scores?

It is better if that someone else, not playing the game, takes notes about the requirements identified and issues discussed. This could be used as training for a more junior developer or performed by the project manager. Some organisations have made a recording to review afterwards when the requirements are written up more formally.

Should we always use the full deck of cards?

No. A smaller deck is quicker to play. Start your first game with only enough cards for two or three rounds. Always consider removing cards that are not appropriate at all of the target application or function being reviewed. For the first few times people play the game it is also usually better to remove the Aces and the two Jokers. It is also usual to play the game without any trumps suit until people are more familiar with the idea.

What should players do when they have an Ace card that says “invented a new X attack”?

The player can make up any attack they think is valid but must match the suit of the card (e.g. data validation and encoding). With players new to the game, it can be better to remove these to begin with.

I don’t understand what the attack means on each card - is there more detailed information?

Yes, please look up the card in our card browser on this website. This site is specifically created to help players understand each attack.

Logo of the OWASP foundation

OWASP Cornucopia

  • OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology-agnostic, and is free to use.
  • OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar licence to this one.
  • © 2012-2025 OWASP Foundation. The Open Worldwide Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software.

OWASP and the OWASP logo are trademarks of the OWASP Foundation

Last update was Fri, 31 Jan 2025 15:30:05 GMT

Licensing information | Acknowledgements | Q & A | Roadmap

© OWASP Foundation 2025 rss | Sitemap