Difference between revisions of "OWASP Top 10 Card Game"

OWASP Top 10 Card Game - Game Description

The OWASP Top Ten card game is a fun to play poker deck card game that pits the black hats against the white hats to see who can be the first to hack their opponent’s website.

OWASP Top 10 Card Game - Mission Statement

Using a standard poker card deck, design a card game that combines the concepts of the OWASP Top 10 and the OWASP Top 10 Proactive Controls, for novice level learners, that can be easily converted for use with customized OWASP branded playing cards.

OWASP Top 10 Card Game - Game Overview

The game is designed to be an easy to learn introduction to the risk concepts of the OWASP Top Ten and the best practices control concepts of the OWASP Top Ten Proactive Controls at a novice level in an environment that reflects a sense realism and excitement.

• The OWASP Top 10 focuses on identifying the most serious web application security risks for a broad array of organizations. A primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about the consequences of the most common and most important web application security weaknesses.

• The OWASP Top 10 Proactive Controls is similar to the OWASP Top 10 but is focused on defensive techniques and controls as opposed to risks. Each OWASP Top 10 Proactive Control technique maps to one or more items in the OWASP Top 10.

The three key components of the game include the Threat Agent (TA) and Defense Control (DC) card decks and the game grid.

A primary requirement for the game is that it be designed around the standard set of playing cards so that the general public is familiar with the medium facilitating internationalization. Two decks for each player are recommended. The Threat Agent (TA) deck includes two Joker cards that are used to represent a Phishing attack. This brings the TA’s deck to a total of 54. The Defense Control (DC) deck also includes two joker cards that are used to represent White Hat defensive controls.

• Threat Agent (TA) deck – 54 cards
• Defense Control (DC) deck – 54 cards

During game design, the blue Bicycle brand deck was used to represent the DC team and the red Bicycle brand deck to represent the malicious TA team. Cybersecurity activities and training are frequently designed around the concept of red (attacking) and blue (defending) teams. BICYCLE® is a registered trademark of The United States Playing Card Company. For more information, visit http://www.usplayingcard.com.

The objective of the game is to take control of (PWN) your opponent’s three business websites while protecting your business websites. It is possible to knockout all three of your opponents TA attack websites.

OWASP Top 10 Card Game - Licensing

This card game is free to use. It is licensed under the Creative Commons Attribution ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

Special customized card decks are available through OWASP. These are standard poker decks that have been modified to enhance the game’s learning experience. These decks and the related play grid contain OWASP copyrighted images and related descriptions and all rights are reserved. Generally, these decks (and play grid) are updated as the new versions of the OWASP Top 10 are released. All profit derived from the sale of the customized decks (and other related items) are used to further OWASP global efforts. See Appendix A for additional information and examples.

OWASP Top 10 Card Game - Roadmap

Phase 1 of the project is complete and it resulted in the completion of the proof of concept, mission statement, short team goals, long team goals and a basic game prototype.

Phase 2 of the project includes assistance from the OWASP foundation, setting up a project Wiki page, setting up a GitHub page, and adding the project to the OWASP project inventory (Incubator Status).

Phase 3 of the project includes looking for other people to help lead and contribute to the project. Areas of need and the corresponding volunteer are listed in the “Getting Involved” section of this Wiki.

Phase 4 will move the project to the Labs phase.

Phase 5 will move the project to the Flagship phase.

Phase 6 addresses the project’s long team goals. It will incorporate the basic OWASP Top 10 Card Game as presented in the Flagship phase along with special customized card decks that will be available through OWASP. These are standard poker decks that have been modified to enhance the game’s learning experience. These decks and the related play grid contain OWASP copyrighted images and related descriptions and all rights are reserved by OWASP.

OWASP Top 10 Card Game - Getting Involved

OWASP Top 10 Card Game - Project Resources

GitHub - https://github.com/OWASP/Top-10-Card-Game/

OWASP Top 10 Card Game - Project Leader

Dennis Johnson

OWASP Top 10 Card Game - Related Projects

• OWASP_Code_Project_Template
• OWASP_Tool_Project_Template

OWASP Top 10 Card Game - Lessons Learned