This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Snakes and Ladders"
m (→Downloads: Table spacing and remove text) |
(Added note about missing mailing list) |
||
(103 intermediate revisions by 3 users not shown) | |||
Line 9: | Line 9: | ||
==OWASP Snakes and Ladders== | ==OWASP Snakes and Ladders== | ||
− | Snakes and Ladders is an educational project. It | + | Snakes and Ladders is an educational project. It uses gamification to promote awareness of application security controls and risks, and in particular knowledge of other OWASP documents and tools. |
== Editions== | == Editions== | ||
Line 15: | Line 15: | ||
''Web Applications'' | ''Web Applications'' | ||
− | <div style="height:75px;max-width:375px;border:0,margin:0;overflow:hidden;">[[File:Snakes_and_ladders_webapp-mini-banner.png|link=]]</div> | + | <!-- <div style="height:75px;max-width:375px;border:0,margin:0;overflow:hidden;">[[File:Snakes_and_ladders_webapp-mini-banner.png|link=]]</div>-->In the board game for {{#switchtablink:Web Applications Edition|web applications}}, the virtuous behaviours (ladders) are secure coding practices (from [[OWASP Proactive Controls|OWASP Proactive Controls project]] 2014-2018) and the vices (snakes) are application security risks (from [[:Category:OWASP Top Ten Project|OWASP Top Ten Project]] 2013-2017). See also a [https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Top_Ten_Mapping mapping between these two lists]. |
− | + | ''Mobile Apps'' | |
− | + | <!-- <div style="height:75px;max-width:375px;border:0,margin:0;overflow:hidden;">[[File:Snakes_and_ladders_mobapp-mini-banner.png|link=]]</div>-->The identical board game for {{#switchtablink:Mobile Apps Edition|mobile apps}} uses mobile controls (from the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Controls Mobile Security Project Top Ten Controls] 2013) as the virtuous behaviours and mobile risks (from the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks Top Ten Mobile Risks] 2014 from the same project) as the vices. | |
+ | |||
+ | == Background == | ||
− | + | This board game was created to use as an ice-breaker in application security training, but it potentially has wider appeal simply as a promotional hand-out, and maybe also more usefully as learning materials for younger coders. To cover all of that, we use the phrase "OWASP Snakes and Ladders is meant to be used by software programmers, big and small". | |
− | The | + | The game is quite lightweight, and does not have the same rigour or depth as the card game Cornucopia, but it is meant to be just some fun with some learning attached. |
− | ' | + | Print-ready PDFs have been published - these are poster sized A2 (international ISO 216 [https://en.wikipedia.org/wiki/Paper_size paper size] 420×594mm, approximately 16.5×23.4in, with 3mm bleed and printers' marks). But the original files are in Adobe Illustrator, so these are also available for anyone to use and improve upon. We recommend playing using a real die and counters (markers), but you can cut out and make these from the paper sheet itself if you have scissor and glue skills. |
− | + | We hope it may be of use in any upcoming office party, celebration, festival, seasonal event, application security awareness or training exercise. Or just to help spread the word about controls and risks at work, at college or at school. If you are training anyone about the OWASP Top Ten, OWASP Proactive Controls or the OWASP Mobile projects, please consider giving each attendee a printed copy of the game as a take away. | |
==Licensing== | ==Licensing== | ||
− | OWASP | + | OWASP Snakes and Ladders is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one. |
© OWASP Foundation | © OWASP Foundation | ||
Line 38: | Line 40: | ||
If you are interested in using gaming for security, also see [https://www.owasp.org/index.php/OWASP_Cornucopia OWASP Cornucopia], [http://www.microsoft.com/security/sdl/adopt/eop.aspx Elevation of Privilege: The Threat Modeling Game], [http://securitycards.cs.washington.edu/ Security Cards] from the University of Washington, the commercial card game [http://www.controlalthack.com/ Control-Alt-Hack] ([http://media.blackhat.com/bh-us-12/Briefings/Kohno/BH_US_12_Kohno_Control_Alt_Hack_Slides.pdf presentation] for latter), and web application security training tools incorporating gamification such as [https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project OWASP Hackademic Challenges Project], [https://www.owasp.org/index.php/OWASP_Security_Shepherd OWASP Security Shepherd] and [http://itsecgames.blogspot.co.uk/ ITSEC Games]. | If you are interested in using gaming for security, also see [https://www.owasp.org/index.php/OWASP_Cornucopia OWASP Cornucopia], [http://www.microsoft.com/security/sdl/adopt/eop.aspx Elevation of Privilege: The Threat Modeling Game], [http://securitycards.cs.washington.edu/ Security Cards] from the University of Washington, the commercial card game [http://www.controlalthack.com/ Control-Alt-Hack] ([http://media.blackhat.com/bh-us-12/Briefings/Kohno/BH_US_12_Kohno_Control_Alt_Hack_Slides.pdf presentation] for latter), and web application security training tools incorporating gamification such as [https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project OWASP Hackademic Challenges Project], [https://www.owasp.org/index.php/OWASP_Security_Shepherd OWASP Security Shepherd] and [http://itsecgames.blogspot.co.uk/ ITSEC Games]. | ||
+ | Additionally, Adam Shostack maintains a list of tabletop security games and related resources at [http://adam.shostack.org/games.html security games]. | ||
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --> | <!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --> | ||
Line 44: | Line 47: | ||
== What is This? == | == What is This? == | ||
− | Snakes and Ladders is a popular board game, with [http://en.wikipedia.org/wiki/Snakes_and_Ladders ancient provenance] imported into Great Britain from Asia in the 19th century. The original game showed the effects of good and evil, or virtues and vices. | + | Snakes and Ladders is a popular board game, with [http://en.wikipedia.org/wiki/Snakes_and_Ladders ancient provenance] imported into [http://sandradodd.com/game/snakesandladders Great Britain from Asia] in the 19th century. The original game showed the effects of good and evil, or virtues and vices. This OWASP game is a poster-sized ''print-your-own'' paper sheet with the game board on it. Just get some players together with a die and counters. The virtues are application security controls, and the vices are risks. |
==How to Play== | ==How to Play== | ||
Line 53: | Line 56: | ||
* Put all the players' counters onto the first square labelled “Start 1”. | * Put all the players' counters onto the first square labelled “Start 1”. | ||
* In turn, each player rolls the die and moves their counter by the number of squares indicated on the die. At the end of the move, if a player’s counter is at the bottom end of a ladder, the counter must be moved up the ladder to the square at its higher end. Conversely, if the player’s counter is located at the mouth of a snake, the counter must be moved down to the end of the snake’s tail. | * In turn, each player rolls the die and moves their counter by the number of squares indicated on the die. At the end of the move, if a player’s counter is at the bottom end of a ladder, the counter must be moved up the ladder to the square at its higher end. Conversely, if the player’s counter is located at the mouth of a snake, the counter must be moved down to the end of the snake’s tail. | ||
+ | * ''As a better alternative to enhance learning, either require the participants to discuss the risk/control when a player reaches each square, or only allow players to climb up a ladder after a quest about the control (e.g. simply describing the control, explain the risk (one example) the named control addresses and how the control (one example) could help prevent the named it'' | ||
*The first player to reach “100” at the top left wins. Give a prize. | *The first player to reach “100” at the top left wins. Give a prize. | ||
− | == Project | + | == Project Leaders == |
− | Colin Watson | + | * [https://www.owasp.org/index.php/User:Clerkendweller Colin Watson] [mailto:[email protected] @] |
+ | * [https://www.owasp.org/index.php/User:Katyanton Katy Anton] [mailto:[email protected] @] | ||
== Related Projects == | == Related Projects == | ||
Line 70: | Line 75: | ||
== Quick Download == | == Quick Download == | ||
− | * Web Applications v1.0 | + | * Web Applications v1.0/v1.1 |
− | ** [[media:OWASP-SnakesAndLadders-WebApplications-DE.pdf|DE]], [[media:OWASP-SnakesAndLadders-WebApplications-EN.pdf|EN]], [[media:OWASP-SnakesAndLadders-WebApplications-ES.pdf|ES]] | + | ** [[media:OWASP-SnakesAndLadders-WebApplications-BR.pdf|BR]], [[media:OWASP-SnakesAndLadders-WebApplications-DE.pdf|DE]], [[media:OWASP-SnakesAndLadders-WebApplications-EN.pdf|EN]], [[media:OWASP-SnakesAndLadders-WebApplications-ES.pdf|ES]], [[media:OWASP-SnakesAndLadders-WebApplications-FR.pdf|FR]], [[media:OWASP-SnakesAndLadders-WebApplications-JA.pdf|JA]], [[media:OWASP-SnakesAndLadders-WebApplications-TR.pdf|TR]], [[media:OWASP-SnakesAndLadders-WebApplications-ZH.pdf|ZH]] |
** {{#switchtablink:Web Applications Edition|More options...}} | ** {{#switchtablink:Web Applications Edition|More options...}} | ||
* Mobile Apps v1.0 | * Mobile Apps v1.0 | ||
− | ** [[media:OWASP-SnakesAndLadders-MobileApps-EN.pdf|EN]] | + | ** [[media:OWASP-SnakesAndLadders-MobileApps-EN.pdf|EN]], [[media:OWASP-SnakesAndLadders-MobileApps-JA.pdf|JA]] |
** {{#switchtablink:Mobile Apps Edition|More options...}} | ** {{#switchtablink:Mobile Apps Edition|More options...}} | ||
== News and Events == | == News and Events == | ||
− | + | * [09 May 2018] Web Applications v1.20 released in EN | |
− | * [ | + | * [12 May 2017] Web Applications TR |
− | * [ | + | * [30 Jun 2016] Free copies at OWASP AppSec EU Rome 2017 |
− | + | * [05 Jun 2016] Web Applications v1.10 released in EN | |
+ | * [30 Dec 2015] Katy Anton becomes project co-leader | ||
+ | * [01 Dec 2015] Free copies at PHP North West user group | ||
+ | * [24 Nov 2015] Free copies at [https://www.owasp.org/index.php/Newcastle OWASP Newcastle] | ||
+ | * [12 Oct 2015] Free copies at PHP Hampshire user group | ||
+ | * [29 Sep 2015] Web Application v1.0 released in PT-BR | ||
+ | * [19 May 2015] Working session at [http://2015.appsec.eu/project-summit/ OWASP Project Summit] - Dutch translation | ||
+ | * [11 May 2015] Lightning talk at the [http://tickets.digitalshoreditch.com/make/#session-53 Digital Shoreditch Festival] | ||
+ | * [04 Dec 2014] Free copies at [https://www.owasp.org/index.php/London OWASP London] | ||
+ | * [02 Dec 2014] Free copies at [https://www.owasp.org/index.php/Cambridge OWASP Cambridge] | ||
+ | * [02 Dec 2014] Mobile Apps JA | ||
+ | * [25 Nov 2014] Web Applications FR, JA and ZH | ||
+ | * [31 Oct 2014] Web Applications v1.0 released in DE, EN and ES | ||
+ | * [31 Oct 2014] Mobile Apps v1.0 released in EN | ||
== Twitter == | == Twitter == | ||
+ | [[File:OWASPSnakesWeb-profile-small.jpg|link=]] | ||
Follow two mock games running on Twitter: | Follow two mock games running on Twitter: | ||
* [https://twitter.com/OWASPSnakesWeb @OWASPSnakesWeb] | * [https://twitter.com/OWASPSnakesWeb @OWASPSnakesWeb] | ||
Line 112: | Line 131: | ||
== OWASP Snakes and Ladders - Web Applications == | == OWASP Snakes and Ladders - Web Applications == | ||
− | This was the first edition created. The | + | This was the first edition created. The objective is to raise awareness of the security controls that every web application should have, but link that with the much more widely known Top Ten Risks. The virtuous behaviours (ladders) are secure coding practices (from [[OWASP Proactive Controls|OWASP Proactive Controls project]] 2014-2018) and the vices (snakes) are application security risks (from [[:Category:OWASP Top Ten Project|OWASP Top Ten Project]] 2013-2017). |
+ | |||
+ | <div style="height:539px;max-width:750px;border:0,margin:0;overflow:hidden;">[[File:Osn-poster-web-de.jpg|link=]]</div> | ||
+ | |||
+ | == Current Release == | ||
− | |||
{| | {| | ||
− | | align="center" valign="top" | [ | + | | align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-BR.pdf BR: Português Brasileiro] |
− | | align="center" valign="top" | [ | + | | align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-DE.pdf DE: Deutsch] |
− | | align="center" valign="top" | [ | + | | align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-EN.pdf EN: English] |
|- | |- | ||
− | | align="center" valign="top" | [[ | + | | align="center" valign="top" | [[Image:Osn-webapp-BR.png|link=File:OWASP-SnakesAndLadders-WebApplications-BR.pdf]] |
− | | align="center" valign="top" | [[ | + | | align="center" valign="top" | [[Image:Osn-webapp-DE.png|link=File:OWASP-SnakesAndLadders-WebApplications-DE.pdf]] |
− | | align="center" valign="top" | [[ | + | | align="center" valign="top" |[[Image:Osn-webapp-EN.png|link=File:OWASP-SnakesAndLadders-WebApplications-EN.pdf]] |
|- | |- | ||
− | | align="center" valign="top" width=" | + | | align="center" valign="top" width="250" | Serpentes e Escadas<br>Aplicativos da Web |
− | | align="center" valign="top" width=" | + | | align="center" valign="top" width="250" | Schlangen und Leitern<br>Web Anwendungen |
− | | align="center" valign="top" width=" | + | | align="center" valign="top" width="250" | Snakes and Ladders<br>Web Applications |
+ | |- | ||
+ | | <br><br> | ||
+ | | <br><br> | ||
+ | | <br><br> | ||
+ | |- | ||
+ | | align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-ES.pdf ES: Español] | ||
+ | | align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-FR.pdf FR: Français] | ||
+ | | align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-JA.pdf JA: 日本語] | ||
+ | |- | ||
+ | | align="center" valign="top" | [[Image:Osn-webapp-ES.png|link=File:OWASP-SnakesAndLadders-WebApplications-ES.pdf]] | ||
+ | | align="center" valign="top" | [[Image:Osn-webapp-FR.png|link=File:OWASP-SnakesAndLadders-WebApplications-FR.pdf]] | ||
+ | | align="center" valign="top" | [[Image:Osn-webapp-JA.png|link=File:OWASP-SnakesAndLadders-WebApplications-JA.pdf]] | ||
+ | |- | ||
+ | | align="center" valign="top" width="250" | Serpientes y Escaleras<br>Aplicaciones Web | ||
+ | | align="center" valign="top" width="250" | Serpents et Échelles<br>Application Web | ||
+ | | align="center" valign="top" width="250" | 蛇とはしご<br>ウェブアプリケーション | ||
+ | |- | ||
+ | | <br><br> | ||
+ | | <br><br> | ||
+ | | <br><br> | ||
+ | |- | ||
+ | | align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-TR.pdf TR: Türkçe] | ||
+ | | align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-ZH.pdf ZH: 中文] | ||
+ | | align="center" valign="top" | | ||
+ | |- | ||
+ | | align="center" valign="top" | [[Image:Osn-webapp-TR.png|link=File:OWASP-SnakesAndLadders-WebApplications-TR.pdf]] | ||
+ | | align="center" valign="top" | [[Image:Osn-webapp-ZH.png|link=File:OWASP-SnakesAndLadders-WebApplications-ZH.pdf]] | ||
+ | | align="center" valign="top" | | ||
+ | |- | ||
+ | | align="center" valign="top" width="250" | Yılanlar ve Merdivenler<br>Web Uygulamaları | ||
+ | | align="center" valign="top" width="250" | 蛇梯棋<br>WEB应用程序 | ||
+ | | align="center" valign="top" width="250" | | ||
|} | |} | ||
+ | Note that some languages choose not to change the EN text for risk and control names. | ||
+ | |||
+ | ([https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-Illustrator.zip Source Adobe Illustrator file]) | ||
+ | |||
+ | == Release History == | ||
− | * | + | * [09 May 2018] 1.2 - EN version updated |
− | * | + | * [12 May 2017] 1.11 - TR version release |
− | * | + | * [15 Jun 2016] 1.1 - EN version updated |
+ | * [29 Sep 2015] 1.0.2 - BR version release | ||
+ | * [25 Nov 2014] 1.0.2 - Additional contributors added, FR, JA and ZH versions released | ||
+ | * [05 Nov 2014] 1.0.1 - Correction to paths in source Illustrator file; PDFs regenerated | ||
+ | * [31 Oct 2014] 1.0 - First release | ||
== Colour Scheme 'Classic' == | == Colour Scheme 'Classic' == | ||
− | |||
− | |||
This edition uses simple primary colours, like [https://search.disconnect.me/searchTerms/serp?search=c45431fe-9ce8-415a-ac25-1e511f45ef51 many versions] that can be seen in pictures of Snakes and Ladders games. The colours used in 'Classic' are: | This edition uses simple primary colours, like [https://search.disconnect.me/searchTerms/serp?search=c45431fe-9ce8-415a-ac25-1e511f45ef51 many versions] that can be seen in pictures of Snakes and Ladders games. The colours used in 'Classic' are: | ||
Line 146: | Line 207: | ||
* Red | * Red | ||
* Blue | * Blue | ||
+ | |||
+ | <div style="height:75px;max-width:100%;border:0,margin:0;overflow:hidden;">[[File:Snakes_and_ladders_webapp-mini-banner.png|link=]]</div> | ||
The start square (1) is yellow and the final square (100) is red. | The start square (1) is yellow and the final square (100) is red. | ||
Line 153: | Line 216: | ||
== OWASP Snakes and Ladders - Mobile Apps == | == OWASP Snakes and Ladders - Mobile Apps == | ||
− | The Mobile Apps | + | The edition for Mobile Apps was created after working out the idea and design for the web application version of the board game. It seemed easy to replicate the idea since the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Project] lists both security controls and risks. The virtuous behaviours (ladders) are mobile controls (from the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Controls Mobile Security Project Top Ten Controls] 2013) and the vices (snakes) are mobile risks (from the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks Top Ten Mobile Risks] 2014). |
+ | |||
+ | <div style="height:539px;max-width:750px;border:0,margin:0;overflow:hidden;">[[File:Osn-poster-mob-ja.jpg|link=]]</div> | ||
+ | |||
+ | == Current Release == | ||
+ | |||
+ | {| | ||
+ | | align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-MobileApps-EN.pdf EN: English] | ||
+ | | align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-JA.pdf JA: 日本語] | ||
+ | |- | ||
+ | | align="center" valign="top" | [[Image:Osn-mobapp-EN.png|link=File:OWASP-SnakesAndLadders-MobileApps-EN.pdf]] | ||
+ | | align="center" valign="top" | [[Image:Osn-mobapp-JA.png|link=File:OWASP-SnakesAndLadders-MobileApps-JA.pdf]] | ||
+ | |- | ||
+ | | align="center" valign="top" width="250" | Snakes and Ladders<br>Mobile Apps | ||
+ | | align="center" valign="top" width="250" | 蛇とはしご<br> モバイルアプリ版 | ||
+ | |} | ||
− | + | ([https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-MobileApps-Illustrator.zip Source Adobe Illustrator file]) | |
− | + | == Release History == | |
− | + | * [02 Dec 2014] 1.0.2 - Additional contributor added, JA version released | |
− | * | + | * [05 Nov 2014] 1.0.1 - Correction to paths in source Illustrator file; EN PDF regenerated |
− | * | + | * [31 Oct 2014] 1.0 - First release |
− | * | ||
== Colour Scheme 'Farringdon' == | == Colour Scheme 'Farringdon' == | ||
− | + | Other people's versions of Snakes and Ladders [https://search.disconnect.me/searchTerms/serp?search=c45431fe-9ce8-415a-ac25-1e511f45ef51 use a wide variety of designs and colour schemes]. Thus to make a complete contrast to the edition for web applications, the colours used are the designatory colours of the underground and mainline train services that run through Colin Watson's local station at Farringdon in Clerkenwell, London EC1. The colours in 'Farringdon' are: | |
− | + | * Purple (future <strike>Crossrail</strike> Elizabeth) | |
− | |||
− | * Purple (future Crossrail) | ||
* Yellow (Circle) | * Yellow (Circle) | ||
* White (Thameslink) | * White (Thameslink) | ||
Line 176: | Line 251: | ||
* Pink (Hammersmith & City) | * Pink (Hammersmith & City) | ||
− | You can see these colours on tube maps and signage. The start square (1) is yellow and the final square (100) is maroon. | + | <div style="height:75px;max-width:100%;border:0,margin:0;overflow:hidden;">[[File:Snakes_and_ladders_mobapp-mini-banner.png|link=]]</div> |
+ | |||
+ | You can see these colours on [https://www.tfl.gov.uk/assets/downloads/standard-tube-map.pdf tube maps] and station signage. The start square (1) is yellow and the final square (100) is maroon. | ||
=FAQs= | =FAQs= | ||
+ | |||
+ | [[File:Snakesandladders-mockup.jpg|right|link=]] | ||
+ | |||
+ | ==Why Snakes & Ladders? == | ||
+ | |||
+ | The OWASP Top 10 is the most well known document, but OWASP has many other resources which provide better approaches for secure application development. In particular, there are some "top 10 controls" lists, and I wanted to highlight those. Creating a board game that features both risks and controls is a simple way to compare and contrast these aspects. | ||
+ | |||
+ | Players do not need to know either the risks or controls on the lists, since they are just the decoration to what is otherwise standard Snakes & Ladders. But as players land on assigned squares, this can be used to discuss the risks and controls they are labelled with. | ||
+ | |||
+ | Also, after undertaking some due diligence, it was noted that since Snakes & Ladders is such an ancient game it is not anyone's intellectual property and many others have already created thousands of different designs and versions. Other games would not meet this requirement. | ||
==How was the game created?== | ==How was the game created?== | ||
− | + | By hard work! Each list of risks and controls contains ten items, so the rough layout of snakes and ladder starting and end points was sketched out on paper, as shown for web applications on the right. Instructional text was written. | |
+ | |||
+ | The concept was then converted into a layered Adobe Illustrator file, and the text and graphics added. This design went through a number of iterations to ensure it was legible and appealing. The PDF was exported and both the PDF and AI files added to the project page. When translations were provided, these were added as separate text layers in the source Illustrator file, and then new files uploaded again to the project. | ||
+ | |||
+ | Once Web Applications Snakes & Ladders was complete, the file was duplicated and edited for Mobile Apps. This has different risks, controls and arrangement of snakes and ladders. It also has its own colour scheme. | ||
==How can I participate in your project?== | ==How can I participate in your project?== | ||
Line 194: | Line 285: | ||
Snakes and Ladders is developed, maintained, updated and promoted by a worldwide team of volunteers. The contributors to date have been: | Snakes and Ladders is developed, maintained, updated and promoted by a worldwide team of volunteers. The contributors to date have been: | ||
+ | * Ziyahan Albeniz | ||
+ | * Kembolle Amilkar | ||
+ | * Katy Anton | ||
* Manuel Lopez Arredondo | * Manuel Lopez Arredondo | ||
* Fabio Cerullo | * Fabio Cerullo | ||
+ | * Álan Carlos B. Eufrázio | ||
* Tobias Gondrom | * Tobias Gondrom | ||
* Martin Haslinger | * Martin Haslinger | ||
+ | * Yongliang He | ||
+ | * Manfred Hofmeier | ||
+ | * Cédric Messeguer | ||
+ | * Takanori Nakanowatari | ||
+ | * Marcos Vinícius Nunes de Arruda | ||
* Riotaro Okada | * Riotaro Okada | ||
− | * | + | * Gabriel Pedro S. Peres |
+ | * Alison S. Ribeiro | ||
* Ivy Zhang | * Ivy Zhang | ||
* Colin Watson | * Colin Watson | ||
Line 212: | Line 313: | ||
= Road Map and Getting Involved = | = Road Map and Getting Involved = | ||
− | + | Recently completed: | |
− | * | + | * Update web applications edition to Proactive Controls 2018 [EN recently completed] |
− | * | + | * Translate into other languages [TR recently completed] |
− | * | + | * Handouts at events |
− | |||
− | As of | + | As of May 2018, the priorities are: |
− | * Promote use of Snakes and Ladders | + | * Update as other referenced projects updated (e.g. Top Ten) |
− | + | ||
− | + | Other ideas are: | |
+ | |||
+ | * Promote use of Snakes and Ladders | ||
* Develop other boards | * Develop other boards | ||
Line 228: | Line 330: | ||
==Localization== | ==Localization== | ||
Are you fluent in another language? Can you help translate Snakes and Ladders into that language? | Are you fluent in another language? Can you help translate Snakes and Ladders into that language? | ||
+ | |||
+ | The project is on [https://crowdin.com/project/owasp-snakes-and-ladders Crowdin] | ||
==Use and Promote the Board Game== | ==Use and Promote the Board Game== | ||
Line 236: | Line 340: | ||
==Feedback== | ==Feedback== | ||
− | Please use the [https://lists.owasp.org/mailman/ | + | '''22 Mar 2019 - awaiting setup of mailing list replacement''' |
+ | |||
+ | Please use the [https://lists.owasp.org/mailman/listinfo/owasp_snakes_and_ladders project mailing list] for feedback: | ||
* How did you use it? | * How did you use it? | ||
* What is people's reaction? | * What is people's reaction? | ||
Line 246: | Line 352: | ||
==Create a Board== | ==Create a Board== | ||
− | Do you have an idea for your own application security Snakes and Ladders board? Please contribute your ideas via the [https://lists.owasp.org/mailman/ | + | Do you have an idea for your own application security Snakes and Ladders board? Please contribute your ideas via the [https://lists.owasp.org/mailman/listinfo/owasp_snakes_and_ladders mailing list]. |
Line 254: | Line 360: | ||
__NOTOC__ <headertabs /> | __NOTOC__ <headertabs /> | ||
− | [[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] | + | [[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:SAMM-EG-1]] |
Latest revision as of 09:45, 22 March 2019
- Main
- Web Applications Edition
- Mobile Apps Edition
- FAQs
- Acknowledgements
- Road Map and Getting Involved
OWASP Snakes and LaddersSnakes and Ladders is an educational project. It uses gamification to promote awareness of application security controls and risks, and in particular knowledge of other OWASP documents and tools. EditionsWeb Applications In the board game for web applications, the virtuous behaviours (ladders) are secure coding practices (from OWASP Proactive Controls project 2014-2018) and the vices (snakes) are application security risks (from OWASP Top Ten Project 2013-2017). See also a mapping between these two lists. Mobile Apps The identical board game for mobile apps uses mobile controls (from the Mobile Security Project Top Ten Controls 2013) as the virtuous behaviours and mobile risks (from the Top Ten Mobile Risks 2014 from the same project) as the vices. BackgroundThis board game was created to use as an ice-breaker in application security training, but it potentially has wider appeal simply as a promotional hand-out, and maybe also more usefully as learning materials for younger coders. To cover all of that, we use the phrase "OWASP Snakes and Ladders is meant to be used by software programmers, big and small". The game is quite lightweight, and does not have the same rigour or depth as the card game Cornucopia, but it is meant to be just some fun with some learning attached. Print-ready PDFs have been published - these are poster sized A2 (international ISO 216 paper size 420×594mm, approximately 16.5×23.4in, with 3mm bleed and printers' marks). But the original files are in Adobe Illustrator, so these are also available for anyone to use and improve upon. We recommend playing using a real die and counters (markers), but you can cut out and make these from the paper sheet itself if you have scissor and glue skills. We hope it may be of use in any upcoming office party, celebration, festival, seasonal event, application security awareness or training exercise. Or just to help spread the word about controls and risks at work, at college or at school. If you are training anyone about the OWASP Top Ten, OWASP Proactive Controls or the OWASP Mobile projects, please consider giving each attendee a printed copy of the game as a take away. LicensingOWASP Snakes and Ladders is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one. © OWASP Foundation Other Security GamificationIf you are interested in using gaming for security, also see OWASP Cornucopia, Elevation of Privilege: The Threat Modeling Game, Security Cards from the University of Washington, the commercial card game Control-Alt-Hack (presentation for latter), and web application security training tools incorporating gamification such as OWASP Hackademic Challenges Project, OWASP Security Shepherd and ITSEC Games. Additionally, Adam Shostack maintains a list of tabletop security games and related resources at security games. |
What is This?Snakes and Ladders is a popular board game, with ancient provenance imported into Great Britain from Asia in the 19th century. The original game showed the effects of good and evil, or virtues and vices. This OWASP game is a poster-sized print-your-own paper sheet with the game board on it. Just get some players together with a die and counters. The virtues are application security controls, and the vices are risks. How to Play
Project LeadersRelated Projects |
Quick Download
News and Events
Follow two mock games running on Twitter: Classifications |
OWASP Snakes and Ladders - Web Applications
This was the first edition created. The objective is to raise awareness of the security controls that every web application should have, but link that with the much more widely known Top Ten Risks. The virtuous behaviours (ladders) are secure coding practices (from OWASP Proactive Controls project 2014-2018) and the vices (snakes) are application security risks (from OWASP Top Ten Project 2013-2017).
Current Release
BR: Português Brasileiro | DE: Deutsch | EN: English |
Serpentes e Escadas Aplicativos da Web |
Schlangen und Leitern Web Anwendungen |
Snakes and Ladders Web Applications |
|
|
|
ES: Español | FR: Français | JA: 日本語 |
Serpientes y Escaleras Aplicaciones Web |
Serpents et Échelles Application Web |
蛇とはしご ウェブアプリケーション |
|
|
|
TR: Türkçe | ZH: 中文 | |
Yılanlar ve Merdivenler Web Uygulamaları |
蛇梯棋 WEB应用程序 |
Note that some languages choose not to change the EN text for risk and control names.
(Source Adobe Illustrator file)
Release History
- [09 May 2018] 1.2 - EN version updated
- [12 May 2017] 1.11 - TR version release
- [15 Jun 2016] 1.1 - EN version updated
- [29 Sep 2015] 1.0.2 - BR version release
- [25 Nov 2014] 1.0.2 - Additional contributors added, FR, JA and ZH versions released
- [05 Nov 2014] 1.0.1 - Correction to paths in source Illustrator file; PDFs regenerated
- [31 Oct 2014] 1.0 - First release
Colour Scheme 'Classic'
This edition uses simple primary colours, like many versions that can be seen in pictures of Snakes and Ladders games. The colours used in 'Classic' are:
- Green
- Yellow
- White
- Red
- Blue
The start square (1) is yellow and the final square (100) is red.
OWASP Snakes and Ladders - Mobile Apps
The edition for Mobile Apps was created after working out the idea and design for the web application version of the board game. It seemed easy to replicate the idea since the OWASP Mobile Project lists both security controls and risks. The virtuous behaviours (ladders) are mobile controls (from the Mobile Security Project Top Ten Controls 2013) and the vices (snakes) are mobile risks (from the Top Ten Mobile Risks 2014).
Current Release
EN: English | JA: 日本語 |
Snakes and Ladders Mobile Apps |
蛇とはしご モバイルアプリ版 |
(Source Adobe Illustrator file)
Release History
- [02 Dec 2014] 1.0.2 - Additional contributor added, JA version released
- [05 Nov 2014] 1.0.1 - Correction to paths in source Illustrator file; EN PDF regenerated
- [31 Oct 2014] 1.0 - First release
Colour Scheme 'Farringdon'
Other people's versions of Snakes and Ladders use a wide variety of designs and colour schemes. Thus to make a complete contrast to the edition for web applications, the colours used are the designatory colours of the underground and mainline train services that run through Colin Watson's local station at Farringdon in Clerkenwell, London EC1. The colours in 'Farringdon' are:
- Purple (future
CrossrailElizabeth) - Yellow (Circle)
- White (Thameslink)
- Maroon (Metropolitan)
- Pink (Hammersmith & City)
You can see these colours on tube maps and station signage. The start square (1) is yellow and the final square (100) is maroon.
Why Snakes & Ladders?
The OWASP Top 10 is the most well known document, but OWASP has many other resources which provide better approaches for secure application development. In particular, there are some "top 10 controls" lists, and I wanted to highlight those. Creating a board game that features both risks and controls is a simple way to compare and contrast these aspects.
Players do not need to know either the risks or controls on the lists, since they are just the decoration to what is otherwise standard Snakes & Ladders. But as players land on assigned squares, this can be used to discuss the risks and controls they are labelled with.
Also, after undertaking some due diligence, it was noted that since Snakes & Ladders is such an ancient game it is not anyone's intellectual property and many others have already created thousands of different designs and versions. Other games would not meet this requirement.
How was the game created?
By hard work! Each list of risks and controls contains ten items, so the rough layout of snakes and ladder starting and end points was sketched out on paper, as shown for web applications on the right. Instructional text was written.
The concept was then converted into a layered Adobe Illustrator file, and the text and graphics added. This design went through a number of iterations to ensure it was legible and appealing. The PDF was exported and both the PDF and AI files added to the project page. When translations were provided, these were added as separate text layers in the source Illustrator file, and then new files uploaded again to the project.
Once Web Applications Snakes & Ladders was complete, the file was duplicated and edited for Mobile Apps. This has different risks, controls and arrangement of snakes and ladders. It also has its own colour scheme.
How can I participate in your project?
All you have to do is make the Project Leader aware of your available time to contribute to the project. It is also important to let the Leader know how you would like to contribute and pitch in to help the project meet its goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. Please see the road map and getting involved section
If I am not a programmer can I participate in your project?
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for users, translators and people to promote the project.
Volunteers
Snakes and Ladders is developed, maintained, updated and promoted by a worldwide team of volunteers. The contributors to date have been:
- Ziyahan Albeniz
- Kembolle Amilkar
- Katy Anton
- Manuel Lopez Arredondo
- Fabio Cerullo
- Álan Carlos B. Eufrázio
- Tobias Gondrom
- Martin Haslinger
- Yongliang He
- Manfred Hofmeier
- Cédric Messeguer
- Takanori Nakanowatari
- Marcos Vinícius Nunes de Arruda
- Riotaro Okada
- Gabriel Pedro S. Peres
- Alison S. Ribeiro
- Ivy Zhang
- Colin Watson
Others
- The project leaders and contributors to the referenced controls and risks:
- OWASP staff for helping to set up the project and support its ongoing activities.
Recently completed:
- Update web applications edition to Proactive Controls 2018 [EN recently completed]
- Translate into other languages [TR recently completed]
- Handouts at events
As of May 2018, the priorities are:
- Update as other referenced projects updated (e.g. Top Ten)
Other ideas are:
- Promote use of Snakes and Ladders
- Develop other boards
Involvement in the development and promotion of Snakes and Ladders is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help are listed below.
Localization
Are you fluent in another language? Can you help translate Snakes and Ladders into that language?
The project is on Crowdin
Use and Promote the Board Game
Please help raise awareness of Snakes and Ladders:
- Use the game with your colleagues, friends, families, students and children
- Create video about how to play the game
- Develop a multi-user mobile app or web application to play the game
Feedback
22 Mar 2019 - awaiting setup of mailing list replacement
Please use the project mailing list for feedback:
- How did you use it?
- What is people's reaction?
- What do like?
- What don't you like?
- What doesn't make sense?
- How could the guidance be improved?
- What other boards would you like to see?
Create a Board
Do you have an idea for your own application security Snakes and Ladders board? Please contribute your ideas via the mailing list.