cornucopia icon indicating copy to clipboard operation
cornucopia copied to clipboard
verified publisher icon OWASP

Create the companion deck for OWASP Cornucopia

Open sydseter opened this issue 8 months ago • 7 comments

@rewtd What if we create a companion deck for OWASP Cornucopia that can be used together with the Website edition?

The Companion deck could consist of 6 or more suits with 13 cards each. Each of the suits are a Cornucopia suit that you can use instead of the Cornucopia suit that you are using. Each of the suits should have a different topic that reflect a specific topic that you are working on.

Here are examples of topics that we can create:

  • LLM
  • WebRTC
  • Identity Management
  • API
  • Web Frontend Security
  • Desktop App Security
  • Cloud Native
  • Serverless computing
  • IOT

Some of these topics probably deserver their own deck, but I was thinking that it would be useful and perhaps faster to create a way for people to use the card deck they already have bought together with a companion expansion that they can use as a supplement.

This is a bit what @cw-owasp talked about concerning "framework-specific modified card decks". The Cornucopia suit is excellent for this purpose since it is not tied to a specific topic and it's also easy to use that suit as a suit you can exchange with a suit that has cards which are closer to what you are working on right now.

sydseter avatar May 16 '25 08:05 sydseter

IOT and Desktop App Security might be suits that is better to use in a mobile-specific expansion. So perhaps we are looking at two expansions here. Not sure.

sydseter avatar May 16 '25 08:05 sydseter

I love the idea!

On Fri, 16 May 2025 at 09:16, Uncle Joe @.***> wrote:

sydseter left a comment (OWASP/cornucopia#1259) https://github.com/OWASP/cornucopia/issues/1259#issuecomment-2885990787

IOT and Desktop App Security might be suits that is better to use in a mobile-specific expansion. So perhaps we are looking at two expansions here. Not sure.

— Reply to this email directly, view it on GitHub https://github.com/OWASP/cornucopia/issues/1259#issuecomment-2885990787, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABORWT75HEB6WTSK6HZ66C326WND5AVCNFSM6AAAAAB5IDMQQCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDQOBVHE4TANZYG4 . You are receiving this because you were mentioned.Message ID: @.***>

rewtd avatar May 16 '25 08:05 rewtd

When things calm down, I'll create a document, share it, and ask for input.

sydseter avatar May 16 '25 08:05 sydseter

@rewtd We should make this the 25 year OWASP anniversary edition for celebrating the 25 year anniversary of OWASP!

sydseter avatar Jun 07 '25 09:06 sydseter

Apologies for not replying to this sooner, but it took a while to sink into my thick skull.

Yes, these suits could be nice teasers for other full decks, but rightly help focus the existing deck for particular teams.

One thought I had was.... yes six suits and no jokers would mean the pack size could be maintained, but maybe one of the suits could just be blank numbered cards so that people could make up there own app/stack/org-specific suit of 13 cards? So 5+1 suits. A suit to scribble on.

cw-owasp avatar Jun 10 '25 15:06 cw-owasp

Sure, the blank suit could be something to explore. As an alternative, we could also make an edition that is entirely blank. Meaning that you could use it to exchange cards with the decks you already have. Reason I am saying this is is that the blank cards not really is meant for beginner threat modellers, but for people that have played for some time which most probably wouldn’t be the case for a companion deck.

sydseter avatar Jun 10 '25 17:06 sydseter

I am really looking forward to this. It will be fun. By aligning it with other OWASP projects it could showcase many of these as a way of celebrating all of OWASP projects. The attacker names should probably all be project leaders and core members.

sydseter avatar Jun 10 '25 18:06 sydseter