Skip to content

Latest commit

 

History

History
38 lines (33 loc) · 4.39 KB

tab_faqs.md

File metadata and controls

38 lines (33 loc) · 4.39 KB
title displaytext layout tab order tags
FAQs
Frequently Asked Questions
true
3
cc

Frequently Asked Questions

Cornucopia card Authorization - 8

Can I copy or edit the game?

Yes of course. All OWASP materials are free to do with as you like provided you comply with the Creative Commons Attribution-ShareAlike 3.0 license. Perhaps if you create a new version, you might donate it to the OWASP Cornucopia Project?

How can I get involved?

Please send ideas or offers of help to the project’s List/Group.

How were the attackers’ names chosen?

EoP begins every description with words like "An attacker can...". These have to be phrased as an attack but I was not keen on the anonymous terminology, wanting something more engaging, and therefore used personal names. These can be thought of as external or internal people or aliases for computer systems. But instead of just random names, I thought how they might reflect the OWASP community aspect. Therefore, apart from "Alice and Bob", the original Ecommerce Website Edition used the given (first) names of current and recent OWASP employees and Board members (assigned in no order), and then randomly selected the remaining 50 or so names from the current list of paying individual OWASP members. No name was used more than once, and where people had provided two personal names, we dropped one part to try to ensure no-one can be easily identified. Names were not deliberately allocated to any particular attack, defence or requirement. The cultural and gender mix simply reflects theses sources of names, and is not meant to be world-representative. Some names have been changed over the years to include some more recent project volunteers.

Why aren’t there any images on the card faces?

There is quite a lot of text on the cards, and the cross-referencing takes up space too. But it would be great to have additional design elements included.

Are the attacks ranked by the number on the card?

Only approximately. The risk will be application and organisation dependent, due to varying security and compliance requirements, so your own severity rating may place the cards in some other order than the numbers on the cards.

Cornucopia card Cryptography - Jack

How long does it take to play a round of cards using the full deck?

This depends upon the amount of discussion and how familiar the players are with application security concepts. But perhaps allow 1.5 to 2.0 hours for 4-6 people.

What sort of people should play the game?

Always try to have a mix of roles who can contribute alternative perspectives. But include someone who has a reasonable knowledge of application vulnerability terminology. Otherwise try to include a mix of architects, developers, testers and a relevant project manager or business owner.

Who should take notes and record scores?

It is better if that someone else, not playing the game, takes notes about the requirements identified and issues discussed. This could be used as training for a more junior developer, or performed by the project manager. Some organisations have made a recording to review afterwards when the requirements are written up more formally.

Should we always use the full deck of cards?

No. A smaller deck is quicker to play. Start your first game with only enough cards for two or three rounds. Always consider removing cards that are not appropriate at all of the target application or function being reviewed. For the first few times people play the game it is also usually better to remove the Aces and the two Jokers. It is also usual to play the game without any trumps suit until people are more familiar with the idea.

What should players do when they have an Ace card that says “invented a new X attack”?

The player can make up any attack they think is valid, but must match the suit of the card e.g. data validation and encoding). With players new to the game, it can be better to remove these to begin with.

I don’t understand what the attack means on each card - is there more detailed information?

Yes, the Wiki Deck at was created to help players understand the attacks. See Wiki Deck.