How to play

Enough already, let's start!


  1. Identify an application or application process to review; this might be a concept, design or an actual implementation
  2. Have a data flow diagram, or make one!
  3. Invite a group of 3-6 people on your team who know what's been built, or what's going to be built, inside out
  4. Have some prizes to hand (gold stars, chocolate, pizza, beer, flowers, whatever you need)


  1. Create a game in Copi using the button below
  2. Share the link to the game page with everyone playing or watching
  3. Players can click the button to join as a player
  4. Once at least 3 players have joined you can start the game (make sure all your players have joined!)
  5. Click the Start Game button and Copi will shuffle and deal out the cards
  6. To begin, choose a player randomly who will play the first card - they can play any card from their hand except from the trump suit - Cornucopia
  7. Once a card is played, the player must read it out aloud, and explain how (or not) the threat could apply (the player gets a point for attacks that work, and the group thinks it is an actionable bug) - don’t try to think of mitigations at this stage, and don’t exclude a threat just because it is believed it is already mitigated - someone record the card on the score sheet
  8. Each player must play a card in the same way; if you have any card of the matching lead suit you must play one of those, otherwise they can play a card from any other suit. Only a higher card of the same suit, or the highest card in the trump suit Cornucopia, wins the round
  9. The player who wins the round, leads the next round (i.e., they play first), and thus define the next lead suit
  10. Repeat until all the cards are played


  1. Score +1 for each card you can identify as a valid threat to the application under consideration
  2. Score +1 if you win a round
  3. Once all cards have been played, whoever has the most points wins
  4. The winner receives fabulous prizes


  1. Review all the applicable threats and the matching security requirements
  2. Create user stories, specifications and test cases as required for your development methodology
Ok I've read it all, let's go!