This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Top 10 Card Game"

From OWASP
Jump to: navigation, search
(Edits)
(Edits)
Line 29: Line 29:
 
A primary requirement for the game is that it be designed around the standard set of playing cards so that the general public is familiar with the medium facilitating internationalization. The standard two player configuration includes one TA deck and one DC deck for each gamer. The Threat Agent (TA) deck includes two Joker cards that are used to represent a Phishing attack. This brings the TA’s deck to a total of 54. The Defense Control (DC) deck also includes two joker cards that are used to represent White Hat defensive controls. This also brings the DC deck to a total of 54.
 
A primary requirement for the game is that it be designed around the standard set of playing cards so that the general public is familiar with the medium facilitating internationalization. The standard two player configuration includes one TA deck and one DC deck for each gamer. The Threat Agent (TA) deck includes two Joker cards that are used to represent a Phishing attack. This brings the TA’s deck to a total of 54. The Defense Control (DC) deck also includes two joker cards that are used to represent White Hat defensive controls. This also brings the DC deck to a total of 54.
  
During game design, the blue Bicycle brand deck was used to represent the DC team and the red Bicycle brand deck to represent the malicious TA team. Cybersecurity activities and training are frequently designed around the concept of red (attacking) and blue (defending) teams. BICYCLE® is a registered trademark of The United States Playing Card Company. For more information, visit http://www.usplayingcard.com.
+
During game design, a blue color deck was used to represent the DC team and a red color deck (of the same manufacture) was used to represent the malicious TA team. Cybersecurity activities and training are frequently designed around the concept of red (attacking) and blue (defending) teams.
  
 
The game’s detailed play grid (See GitHub - https://github.com/OWASP/Top-10-Card-Game/) is based in part on the attack path flow diagram provided with OWASP’s Top 10 publication. The play grid is designed to help students visualize how threat agents can potentially use many different paths through your application to do harm to your business or organization. The standard two player (four deck) version of the play grid can be summarized as follows:
 
The game’s detailed play grid (See GitHub - https://github.com/OWASP/Top-10-Card-Game/) is based in part on the attack path flow diagram provided with OWASP’s Top 10 publication. The play grid is designed to help students visualize how threat agents can potentially use many different paths through your application to do harm to your business or organization. The standard two player (four deck) version of the play grid can be summarized as follows:
Line 36: Line 36:
 
</gallery>  
 
</gallery>  
  
The detailed version of the play grid contains instructional content and provides visual continuity for players.
+
The detailed version of the play grid contains instructional content and provides visual continuity for players:
 
 
 
 
 
 
 
 
 
 
  
 +
[[File:Play Grid Detailed.jpg|OWASP Card Game Grid]]
 +
</gallery>
  
 
The objective of the game is to take control of (PWN) your opponent’s three business websites while protecting your business websites. It is possible to knockout all three of your opponents TA attack websites.
 
The objective of the game is to take control of (PWN) your opponent’s three business websites while protecting your business websites. It is possible to knockout all three of your opponents TA attack websites.
Line 126: Line 123:
 
|-
 
|-
 
| 8 || Game Grid || The initial prototype was designed with a more simple grid; however, this proved to be a bit boring for the gamer. The current game grid design reflects design aspects taken from the OWASP Top 10 publication and a layered attack vector that is segmented into five defense-in-depth activities that are summarized with the mnemonic OWASP || Consider ways to modify the game grid to enhance the learning experience || Dennis Johnson
 
| 8 || Game Grid || The initial prototype was designed with a more simple grid; however, this proved to be a bit boring for the gamer. The current game grid design reflects design aspects taken from the OWASP Top 10 publication and a layered attack vector that is segmented into five defense-in-depth activities that are summarized with the mnemonic OWASP || Consider ways to modify the game grid to enhance the learning experience || Dennis Johnson
 +
|-
 +
| 9 || Card Back Designs || At a minimum, the TA deck should be a color different than the DC deck. A red TA deck and a Blue DC deck seem to augment a more realistic learning experience. Using cards with the same design pattern, made it easy to mix up the player cards || Consider ways to help the players not mix up their playing cards, such as different card back patterns or maybe card jackets.|| Dennis Johnson
 
|}
 
|}
  
 
[[Category:OWASP Project]] [[Category:OWASP_Document]]
 
[[Category:OWASP Project]] [[Category:OWASP_Document]]

Revision as of 01:08, 13 April 2019

OWASP Project Header.jpg

OWASP Top 10 Card Game - Game Description

The OWASP Top Ten card game is a fun to play poker deck card game that pits the black hats against the white hats to see who can be the first to hack their opponent’s website.

OWASP Top 10 Card Game - Mission Statement

Using a standard poker card deck, design a card game that combines the concepts of the OWASP Top 10 and the OWASP Top 10 Proactive Controls, for novice level learners, that can be easily converted for use with customized OWASP branded playing cards.

OWASP Top 10 Card Game - Game Overview

The game is designed to be an easy to learn introduction to the risk concepts of the OWASP Top Ten and the best practices control concepts of the OWASP Top Ten Proactive Controls at a novice level in an environment that reflects a sense realism and excitement.

  • The OWASP Top 10 focuses on identifying the most serious web application security risks for a broad array of organizations. A primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about the consequences of the most common and most important web application security weaknesses.
  • The OWASP Top 10 Proactive Controls is similar to the OWASP Top 10 but is focused on defensive techniques and controls as opposed to risks. Each OWASP Top 10 Proactive Control technique maps to one or more items in the OWASP Top 10.

The four main components of the game (See GitHub - https://github.com/OWASP/Top-10-Card-Game/) include:

  • Threat Agent (TA) deck
  • Defense Control (DC) deck
  • Game Play Grid
  • Game Rules and Instructions

A primary requirement for the game is that it be designed around the standard set of playing cards so that the general public is familiar with the medium facilitating internationalization. The standard two player configuration includes one TA deck and one DC deck for each gamer. The Threat Agent (TA) deck includes two Joker cards that are used to represent a Phishing attack. This brings the TA’s deck to a total of 54. The Defense Control (DC) deck also includes two joker cards that are used to represent White Hat defensive controls. This also brings the DC deck to a total of 54.

During game design, a blue color deck was used to represent the DC team and a red color deck (of the same manufacture) was used to represent the malicious TA team. Cybersecurity activities and training are frequently designed around the concept of red (attacking) and blue (defending) teams.

The game’s detailed play grid (See GitHub - https://github.com/OWASP/Top-10-Card-Game/) is based in part on the attack path flow diagram provided with OWASP’s Top 10 publication. The play grid is designed to help students visualize how threat agents can potentially use many different paths through your application to do harm to your business or organization. The standard two player (four deck) version of the play grid can be summarized as follows:

  • View from 3,000 meters

The detailed version of the play grid contains instructional content and provides visual continuity for players:

OWASP Card Game Grid </gallery>

The objective of the game is to take control of (PWN) your opponent’s three business websites while protecting your business websites. It is possible to knockout all three of your opponents TA attack websites.

OWASP Top 10 Card Game - Licensing

This card game is free to use. It is licensed under the Creative Commons Attribution ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

Special customized card decks are available through OWASP. These are standard poker decks that have been modified to enhance the game’s learning experience. These decks and the related play grid contain OWASP copyrighted images and related descriptions and all rights are reserved. Generally, these decks (and play grid) are updated as the new versions of the OWASP Top 10 are released. All profit derived from the sale of the customized decks (and other related items) are used to further OWASP global efforts. See [add reference / link here] for additional information and examples.

OWASP Top 10 Card Game - Roadmap

Phase 1 of the project is complete and it resulted in the completion of the proof of concept, mission statement, short team goals, long team goals and a basic game prototype.

Phase 2 of the project includes assistance from the OWASP foundation, setting up a project Wiki page, setting up a GitHub page, and adding the project to the OWASP project inventory (Incubator Status).

Phase 3 of the project includes looking for other people to help lead and contribute to the project. Areas of need and the corresponding volunteer are listed in the “Getting Involved” section of this Wiki.

Phase 4 will move the project to the Labs phase.

Phase 5 will move the project to the Flagship phase.

Phase 6 addresses the project’s long team goals. It will incorporate the basic OWASP Top 10 Card Game as presented in the Flagship phase along with special customized card decks that will be available through OWASP. These are standard poker decks that have been modified to enhance the game’s learning experience. These decks and the related play grid contain OWASP copyrighted images and related descriptions and all rights are reserved by OWASP.

OWASP Top 10 Card Game - Getting Involved

Task Volunteer Responsibilities Status
Coordination with OWASP Top 10 project team leader Add name and contact information here Help ensure that game content properly addresses the scope and purpose of the OWASP Top 10 This volunteer position is currently open
Coordination with OWASP Top 10 Proactive Controls project leader Add name and contact information here Help ensure that game content properly addresses the scope and purpose of the OWASP Top 10 Proactive Controls This volunteer position is currently open
Coordination with OWASP Education project leader Add name and contact information here Help ensure that game content properly reflects the general scope and purpose of the OWASP Education Project This volunteer position is currently open
Coordination with OWASP Cornucopia project leader Add name and contact information here Help ensure that game content properly reflects the general scope and purpose of the OWASP Cornucopia Project This volunteer position is currently open
Coordination with OWASP Snakes and Ladders project leader Add name and contact information here Help ensure that game content properly reflects the general scope and purpose of the OWASP Snakes and Ladders project This volunteer position is currently open
Coordination with OWASP Security Shepherd project leader Add name and contact information here Help ensure that game content properly reflects the general scope and purpose of the OWASP Security Shepherd project This volunteer position is currently open
Technical Jargon Watchdog Add name and contact information here Plain language evangelist that facilitates learning experience for novice level learners This volunteer position is currently open
Game Play Grid Layout and Design Coordinator Add name and contact information here Ensures that the game play grid properly supports game play and that content supports the learning experience for novice level learners This volunteer position is currently open
Content Coordinator Add name and contact information here Ensures appropriate summarized content reflecting the OWASP Top 10 risks and proactive controls and that game content and play instructions support the learning experience for novice level learners This volunteer position is currently open
Card Layout and Design Coordinator Add name and contact information here Ensures that card layout and design are appropriate and meaningful and that content supports the learning experience for novice level learners This Phase 6 volunteer position is currently open
Card Image and Design Coordinator Add name and contact information here Ensures that the images selected for the Top Ten risks and controls are appropriate, meaningful and marketable and that content supports the learning experience for novice level learners This Phase 6 volunteer position is currently open

OWASP Top 10 Card Game - Project Resources

GitHub - https://github.com/OWASP/Top-10-Card-Game/

OWASP Top 10 Card Game - Project Leader

Dennis Johnson

OWASP Top 10 Card Game - Related Projects

None

OWASP Top 10 Card Game - Lessons Learned

Number Title Description Recommendation Owner
1 Technical Complexity The OWASP Top 10 and the OWASP Top Ten Proactive Controls are abstractions of complex real life technical challenges and solutions. Because the card game is a abstraction of the Top 10 risks and controls, it is important to be mindful that the game can easily grow in complexity beyond the intended scope of the novice learner Carefully monitor creativity Dennis Johnson
2 Operational Complexity Even through the game is based on the common poker card deck and a simple game grid, there is ample opportunity for the game to grow in complexity beyond the intended scope of the novice learner Carefully monitor creativity Dennis Johnson
3 Card Formulations During the prototype design process, it was determined that increasing or decreasing the number of attack cards based on the Top 10's risk calculation process, was not meaningful to the games's purpose and only added complexity Carefully monitor creativity Dennis Johnson
4 Heavy Lifting Already Completed by Other Teams The game relies on the professionally developed and presented work completed by the Top 10 risk and controls project teams Don't stray from the guidelines provided by the Top 10 risk and control projects Dennis Johnson
5 Use of Die During the prototype design process, it was determined that the workload count added for each attack failure was probably best tracked by each player using a six sided die Include six sided dice in the recommended game configuration Dennis Johnson
6 Workload Counts During the prototype design process, the appropriate number of workload counts that should be accumulated for an attacking threat agent website to be unmasked or decommissioned was not finalized Accumulate results from trial game sessions to determine the best number of workload counts Dennis Johnson
7 Gamer Education The purpose of the game is to provide an interesting and fun experience and also help the gamer to learn about the OWASP Top 10 risks and controls Look for simple ways to build learning experiences into the game. For example, the design currently permits a player who has failed in their attack move to name a Top 10 risk selected by their opponent to cancel the normal workload count Dennis Johnson
8 Game Grid The initial prototype was designed with a more simple grid; however, this proved to be a bit boring for the gamer. The current game grid design reflects design aspects taken from the OWASP Top 10 publication and a layered attack vector that is segmented into five defense-in-depth activities that are summarized with the mnemonic OWASP Consider ways to modify the game grid to enhance the learning experience Dennis Johnson
9 Card Back Designs At a minimum, the TA deck should be a color different than the DC deck. A red TA deck and a Blue DC deck seem to augment a more realistic learning experience. Using cards with the same design pattern, made it easy to mix up the player cards Consider ways to help the players not mix up their playing cards, such as different card back patterns or maybe card jackets. Dennis Johnson
Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Top_10_Card_Game&oldid=250078"