We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
Create a new game
How to play Cornucopia
Preparations
- Identify an application or application process to review; this might be a concept, design or an actual implementation
- Have a data flow diagram, or make one!
- Invite a group of 3-6 people on your team who know what's been built, or what's going to be built, inside out
- Have some prizes to hand (gold stars, chocolate, pizza, beer, flowers, whatever you need)
Play
- Create a game in Copi using the button below
- Share the link to the game page with everyone playing or watching
- Players can click the button to join as a player
- Once at least 3 players have joined you can start the game (make sure all your players have joined!)
- Click the Start Game button and Copi will shuffle and deal out the cards
- To begin, choose a player randomly who will play the first card - they can play any card from their hand except from the trump suit - Cornucopia
- Once a card is played, the player must read it out aloud, and explain how (or not) the threat could apply (the player gets a point for attacks that work, and the group thinks it is an actionable bug) - don’t try to think of mitigations at this stage, and don’t exclude a threat just because it is believed it is already mitigated - someone record the card on the score sheet
- Each player must play a card in the same way; if you have any card of the matching lead suit you must play one of those, otherwise they can play a card from any other suit. Only a higher card of the same suit, or the highest card in the trump suit Cornucopia, wins the round
- The player who wins the round, leads the next round (i.e., they play first), and thus define the next lead suit
- Repeat until all the cards are played
Scoring
- Score +1 for each card you can identify as a valid threat to the application under consideration
- Score +1 if you win a round
- Once all cards have been played, whoever has the most points wins
- The winner receives fabulous prizes
Closure
- Review all the applicable threats and the matching security requirements
- Create user stories, specifications and test cases as required for your development methodology