OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional, and formal development processes. It is language, platform, and technology agnostic. Admincontrol is using OWASP cornucopia to scale their security efforts and empower their teams to do application security work using gamification as a motivational factor.

Cornucopia had its 10th anniversary last year, it’s about time we released a new version of Cornucopia with a new Website App Edition updated with the ASVS 4.0 mapping and a Mobile App Edition with the MASVS 2.0 mapping for mobile development. At the same time we are also releasing the online version “Copi” for online and distributed collaboration.

Together with other Cornucopia enthusiasts, we are doing this to ensure the successful implementation of security practices for web- and mobile applications. We believe the best way to scale application security efforts and empower development teams to take ownership for application security and improve application security posture is to gamify the security requirement- and threat modelling processes. Let the development team come up with the requirements themselves and support them in the planning, design and implementation of application security. Cornucopia will help development teams come up with those requirements and support them in planning, designing and implementing application security best practices, and if they don’t find the game interesting, why don’t let them create their own threat modelling game using OWASP Cornucopia.

In this presentation we will talk about how Admincontrol uses Cornucopia to improve their product security using the upcoming mobile version of Cornucopia and what we have learned and gained from using Cornucopia in our development processes.