On the one hand, I'm a gamer. I enjoy trading card games (TCG) like Dixit, Hearthstone, and Magic: The Gathering, and believe they are deeply immersive gateways to imaginary worlds that you explore with friends. They center around exploration, creativity, and play, and feel like the opposite of work. What's not to love?

On the other hand, I'm an infrastructure developer. I read and write code while asking questions like “is this reliable?”, “is this fast?”, and “is this safe?” These are serious questions that are often hard to solve. Never had I thought I'd be able to combine my love for TCGs with a topic as weighty as app security. And yet it's possible.

You may know the OWASP Foundation from its annual Top 10 Web App Security Risks articles. If you don't, OWASP is an important authority in the field of web app security. They have plenty of free resources to improve your app's security, including, it turns out, a trading card game: OWASP Cornucopia.

In this blog post, I'll explore how to play Cornucopia and how the game can help improve the security of your app. Let's go.

How to Play Cornucopia

Setting Up the Game

First, you need to pick the language you're most comfortable playing in, print out one of the respective documents below, and cut out the individual cards.

Cornucopia is under the Creative Commons Attribution License, so you're entirely free to download and translate the document in your language if you want to help with the project's internationalization.

Alternatively, you can buy Cornucopia cards at Amazon or other e-commerce websites. Sometimes, you can buy them from selling points at InfoSec conferences too.

Once you've printed and cut out the cards, create a scoresheet (either online or on a printed sheet of paper) with player names, the name of the application, and which part of your app you will be examining throughout the game.

Let's imagine we're examining the basket functionality of a v1 pet shop e-commerce application we're working on. Ideally, you play this with the team you're building the app with. Cornucopia allows you to identify both genuine security threats to your app and gaps in your security knowledge, so you can prioritize your learning appropriately.

Playing Your First Round

It's time to organize the deck. If it's your first time playing, remove the Aces, Jokers, and Cornucopia cards. These are difficult cards that you can reintroduce when you're more familiar with the game (we'll cover these cards in a future blog post). Also remove the cards not relevant to your app. For example, if your app is unauthenticated, remove all Authentication cards.

Next, take all the remaining cards and give them a good shuffle. Deal out six cards face down to each player. Then give everyone a few minutes to read their cards. Wait until everyone indicates they've read their cards. Next, choose who starts first. For the sake of explanation, imagine you're first. You have these cards:

Now you need to choose the highest-possible card that you think best describes a scenario that can threaten your app. Your job is to convince the other players that your app is vulnerable to this threat. If you succeed, you win a point. If you fail, you don't win a point.

Each player plays their card this way, trying to convince the team that the scenario on their card is a genuine security threat to the app. At the end of each round, a point is also given to the player who had the highest valid card (the higher the card, the more serious the security threat).

Let's clarify with an example. Imagine you play a Q from Authorization, which describes a scenario where Christopher can inject a command so the app will run at a higher privilege level. You argue that the pet shop app is vulnerable to this, because it runs in Java with an outdated Log4j.

The other team members can't argue with your logic and you win a point. Unless a team member says that the Log4j is already updated and it no longer represents a threat, in which case you don't win a point. That's it, onto the next player until everyon has played their card, after which the highest valid card gets another point.

You keep playing rounds until all players have played their cards. The winner is the person with the most points, i.e. the player who played the most and/or the highest cards with genuine security threats.

In Conclusion

In a future blog post, I will explain what you should do with the Joker, Ace, and Cornucopia cards, diving deeper into the security concepts of these cards. For now, simply try out Cornucopia with your team! It's a great game that can quickly help you identify possible security threats in your app.