========================================== OWASP Cornucopia Ecommerce Website Edition ========================================== v1.20 EN Ecommerce Website Edition Created by Colin Watson ABOUT ----- OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology agnostic. https://www.owasp.org/index.php/OWASP_Cornucopia Acknowledgments: * Microsoft SDL Team for the Elevation of Privilege Threat Modelling Game, published under a Creative Commons Attribution license, as the inspiration for Cornucopia and from which many ideas, especially the game theory, were copied. * Keith Turpin and contributors to the “OWASP Secure Coding Practices - Quick Reference Guide”, originally donated to OWASP by Boeing, which is used as the primary source of security requirements information to formulate the content of the cards. * Contributors, supporters, sponsors and volunteers to the OWASP ASVS, AppSensor and Web Framework Security Matrix projects, Mitre’s Common Attack Pattern Enumeration and Classification (CAPEC), and SAFECode’s “Practical Security Stories and Security Tasks for Agile Development Environments” which are all used in the cross-references provided. * Playgen for providing an illuminating afternoon seminar on task gamification, and tartanmaker.com for the online tool to help create the card back pattern. * Blackfoot UK Limited for creating and donating print-ready design files, Tom Brennan and the OWASP Foundation for instigating the creation of an OWASP-branded box and leaflet, and OWASP employees, especially Kate Hartmann, for managing the ordering, stocking and despatch of printed card decks. * Oana Cornea and other participants at the AppSec EU 2015 project summit for their help in creating the demonstration video. * Colin Watson as author and co-project leader with Darío De Filippis, along with other OWASP volunteers who have helped in many ways. LICENSE ------- OWASP Cornucopia is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one. COPYRIGHT --------- © OWASP Foundation 2012-2016 DERIVATIVES/ATTRIBUTION ----------------------- Some examples of re-using or reproducing Cornucopia are: 1. Print some decks and give them away to customers 2. Reproduce the game exactly but with a corporate-branded package 3. Use the idea and/or source files to produce a similar game but with different attacks/mappings 4. Distribute modified design files If option 1 above, you can order these in bulk from OWASP and attach your own details below the "compliments of" section on the boxes. There are three aspects to consider for options 2, 3 or 4, or combinations of those - see below. The existing printed decks (and their boxes and leaflets include such text). A - Cornucopia License The precise wording will depend how the material is being used or reproduced. Under Creative Commons Attribution-ShareAlike 3.0 license it is necessary to attribute all previous contributions (in this case, Microsoft, Boeing, Mitre, etc). The easiest place to put the wording is on the leaflet (folded inside, or separate booklet). The current required long-form wording is (between the dotted rules): ................................................................................ OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license http://creativecommons.org/licenses/by-sa/3.0/ The files used to create these materials were created from the OWASP project and are also open source, and are licensed under the same conditions. * OWASP Cornucopia can be downloaded for free from the OWASP website and printed yourself. The OWASP Cornucopia project source in vendor neutral and unbranded. * OWASP does not endorse or recommend commercial products or services. * © 2012-2016 OWASP Foundation * This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license. Acknowledgments: * Microsoft SDL Team for the Elevation of Privilege Threat Modelling Game, published under a Creative Commons Attribution license, as the inspiration for Cornucopia and from which many ideas, especially the game theory, were copied. * Keith Turpin and contributors to the “OWASP Secure Coding Practices - Quick Reference Guide”, originally donated to OWASP by Boeing, which is used as the primary source of security requirements information to formulate the content of the cards. * Contributors, supporters, sponsors and volunteers to the OWASP ASVS, AppSensor and Web Framework Security Matrix projects, Mitre’s Common Attack Pattern Enumeration and Classification (CAPEC), and SAFECode’s “Practical Security Stories and Security Tasks for Agile Development Environments” which are all used in the cross-references provided. * Playgen for providing an illuminating afternoon seminar on task gamification, and tartanmaker.com for the online tool to help create the card back pattern. * Blackfoot UK Limited for creating and donating print-ready design files, Tom Brennan and the OWASP Foundation for instigating the creation of an OWASP-branded box and leaflet, and OWASP employees, especially Kate Hartmann, for managing the ordering, stocking and despatch of printed card decks. * Oana Cornea and other participants at the AppSec EU 2015 project summit for their help in creating the demonstration video. * Colin Watson as author and co-project leader with Darío De Filippis, along with other OWASP volunteers who have helped in many ways. ................................................................................ The box/container for the cards must have the wording (between the dotted rules): ................................................................................ Created by Colin Watson. Contains: One pack of Cornucopia Ecommerce Website playing cards. OWASP Cornucopia is open source and can be downloaded free of charge from the OWASP website. OWASP Cornucopia is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one. ................................................................................ The following short-form wording must also appear on any materials referencing the outputs (e.g. press releases, leaflets, reports, blog posts) (between the dotted rules): ................................................................................ OWASP does not endorse or recommend commercial products or services. OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license and is © 2012-2016 OWASP Foundation. ................................................................................ If any files are distributed electronically, the long-form wording should also be aded in a license.txt file within the distribution. If the intention is to use the idea only (option 3 above), the long-form, box and short-form wording might be different, and probably simpler. And it might make more sense to start with the Microsoft-provided Elevation of Privilege files (and open source license). B - Upcoming update to Cornucopia Note that the current print design files are v1.20, and the current Word document is also v1.20. Whatever is used as a starting point, please state the source version, for example (between the dotted rules): ................................................................................ Based on OWASP Cornucopia Ecommerce Website Edition v1.20 ................................................................................ C - OWASP brand usage Additionally individuals, companies and other organisations must not breach OWASP's brand usage guidelines. https://www.owasp.org/index.php/Marketing/Resources#tab=BRAND_GUIDELINES In the case of Cornucopia, in 2014 Blackfoot Limited produced some printed decks of cards. Blackfoot's name and logo did not appear anywhere on the OWASP-branded cards, and the OWASP logo did not appear on the Blackfoot-branded box and leaflet. In fact there is no OWASP logo on any part of the Blackfoot branded decks.