Threat modeling for everyone everywhere

Uncover the security flaws in your software's before the bad guys do it for you by playing the game! Get your team together on a call or in a room and use OWASP Cornucopia Web & Mobile card decks to guide your threat modelling.

OWASP Cornucopia - Threat modeling for everyone everywhere - Don't gamble with your security play games with it
WILD CARD
Joker

Alice can utilize the application to attack users' systems and data

STRIDE

OWASP DevGuide

OWASP ASVS

CAPEC™

SAFECODE

CORNUCOPIA
7

Mwengu's actions cannot be investigated because there is not an adequate accurately time-stamped record of security events, or there is not a full audit trail, or these can be altered or deleted by Mwengu, or there is no centralized logging service

STRIDE

OWASP DevGuide

-

OWASP ASVS

-

CAPEC™

184,242,248,441,444,523,549,636,691

SAFECODE

-

CRYPTOGRAPHY
6

Romain can read and modify unencrypted data in memory or in transit (e.g. cryptographic secrets, credentials, session identifiers, personal and commercially-sensitive data), in use or in communications within the application, or between the application and users, or between the application and external systems

STRIDE

T

OWASP DevGuide

SFL8,SFL10,ACM9,MM1,MM2,MM3,MM4,MM5,MM6,MM8,MM9

OWASP ASVS

14.1.2

CAPEC™

25,26,77,29,96,100,123,124,125,128,129,130,131,264,446

SAFECODE

3,5,6,7,9,22,25,26,34

AUTHORIZATION
5

Chad can access resources (including services, processes, AJAX, Flash, video, images, documents, temporary files, session data, system properties, configuration data, registry settings, logs) he should not be able to due to missing authorization, or due to excessive privileges (e.g. not using the principle of least privilege)

STRIDE

I

OWASP DevGuide

P15,CP6,SCM6,SCM7,PDR1,PDR3

OWASP ASVS

6.2.2

CAPEC™

39,97,162,204

SAFECODE

21,29

SESSION MANAGEMENT
4

Alison can set session identification cookies on another web application because the domain and path are not restricted sufficiently

STRIDE

T

OWASP DevGuide

P7

OWASP ASVS

4.1.3,4.2.1,5.1.5

CAPEC™

62,94,154,157,173,240,481,569

SAFECODE

8,10,11

DATA VALIDATION & ENCODING
3

Robert can input malicious data because the allowed protocol format is not being checked, or duplicates are accepted, or the structure is not being verified, or the individual data elements are not being validated for format, type, range, length and a whitelist of allowed characters or formats

STRIDE

S

OWASP DevGuide

SM1,SM2

OWASP ASVS

3.7.1

CAPEC™

61,196,633

SAFECODE

28

AUTHENTICATION
2

James can undertake authentication functions without the real user ever being aware this has occurred (e.g. attempt to log in, log in with stolen credentials, reset the password)

STRIDE

R

OWASP DevGuide

A3,A11,A12,A17,A18,A19,A20,A21,P10,P11,P12,SL6,SL8,SLD9,M1,M2

OWASP ASVS

2.5.2,7.1.2,7.1.4,7.2.1,8.2.1,8.2.2,8.2.3,8.3.6

CAPEC™

21,49,50,151,600

SAFECODE

28

Scroll down
OWASP Cornucopia - In devs we trust
Introduction

The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, to identify application security requirements and develop security-based user stories.

OWASP Cornucopia is an easy way to introduce the practice of threat modeling in a software development team. Playing the card game encourages the development team to actively think about the kind of threats that can emerge when creating software. This empowers teams to independently secure their applications while building them. Doing so embraces the shift-left strategy, where security becomes an integrated part of the development cycle.

➔ Read more
OWASP Cornucopia Mobile Edition - In devs we trust
How to start

To start using Cornucopia:

  1. Either obtain or buy a pre-printed deck of cards;
  2. Or: Download the free Adobe Illustrator files and get them professionally printed (see: printing instructions);
  3. Or: Play the game online at copi.owasp.org.
  4. Identify an application, module or component to assess.
  5. Invite business owners, architects, developers, testers along for a card game.
  6. Get those infosec folk to provide chocolate, pizza, beer, flowers or all four as prizes.
  7. Select a portion of the deck to start with.
  8. Play the game to discuss & document security requirements (and to win rounds).
  9. Remember, to have fun!
➔ How to play
OWASP Cornucopia - Is open source under the Creative Commons Attribution-ShareAlike 3.0 license
Open source

There are a large number of source design files for the cards themselves in various languages and formats. These design files together with the source code to generate the Word document, PDFs and InDesign files for printing are maintained in our Github repository.

One of the main advantages of the OWASP Cornucopia card game being open source is that it allows anyone to access and use the game without any licensing fees or restrictions. This encourages widespread adoption and makes it easier for teams to integrate the game into their security practices. Additionally, being open source means that the game is transparent and customizable. Teams can modify the game to suit their specific needs and address the security threats that are most relevant to their applications. They can also contribute back to the game's development by submitting new cards or improvements. Furthermore, open source software tends to have a large and active community of developers who contribute to the codebase and offer support. This can lead to faster bug fixes and updates, ensuring that the game remains relevant and effective in identifying security threats.

View source on Github ➔

OWASP Cornucopia

OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology-agnostic, and is free to use. OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 4.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar licence to this one.

© 2012-2025 OWASP Foundation. The Open Worldwide Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software.

OWASP and the OWASP logo are trademarks of the OWASP Foundation

Last update was Fri, 30 Jan 2026 09:03:47 GMT

Licensing information | Acknowledgements | Q & A | Roadmap

© OWASP Foundation 2026 rss | Sitemap