OWASP Snakes and Ladders

OWASP Snakes and Ladders - Web Applications

This was the first edition created. The objective is to raise awareness of the security controls that every web application should have, but link that with the much more widely known Top Ten Risks. The virtuous behaviours (ladders) are secure coding practices (from OWASP Proactive Controls project 2014-2016) and the vices (snakes) are application security risks (from OWASP Top Ten Project 2013).

Current Release

BR: Português Brasileiro	DE: Deutsch	EN: English
Serpentes e Escadas Aplicativos da Web	Schlangen und Leitern Web Anwendungen	Snakes and Ladders Web Applications
ES: Español	FR: Français	JA: 日本語
Serpientes y Escaleras Aplicaciones Web	Serpents et Échelles Application Web	蛇とはしご ウェブアプリケーション
TR: Türkçe	ZH: 中文
Yılanlar ve Merdivenler Web Uygulamaları	蛇梯棋 WEB应用程序

Note that some languages choose not to change the EN text for risk and control names.

(Source Adobe Illustrator file)

Release History

• [12 May 2017] 1.11 - TR version release
• [15 Jun 2016] 1.1 - EN version updated
• [29 Sep 2015] 1.0.2 - BR version release
• [25 Nov 2014] 1.0.2 - Additional contributors added, FR, JA and ZH versions released
• [05 Nov 2014] 1.0.1 - Correction to paths in source Illustrator file; PDFs regenerated
• [31 Oct 2014] 1.0 - First release

Colour Scheme 'Classic'

This edition uses simple primary colours, like many versions that can be seen in pictures of Snakes and Ladders games. The colours used in 'Classic' are:

• Green
• Yellow
• White
• Red
• Blue

The start square (1) is yellow and the final square (100) is red.

OWASP Snakes and Ladders - Mobile Apps

The edition for Mobile Apps was created after working out the idea and design for the web application version of the board game. It seemed easy to replicate the idea since the OWASP Mobile Project lists both security controls and risks. The virtuous behaviours (ladders) are mobile controls (from the Mobile Security Project Top Ten Controls 2013) and the vices (snakes) are mobile risks (from the Top Ten Mobile Risks 2014).

Current Release

EN: English	JA: 日本語
Snakes and Ladders Mobile Apps	蛇とはしご モバイルアプリ版

(Source Adobe Illustrator file)

Release History

• [02 Dec 2014] 1.0.2 - Additional contributor added, JA version released
• [05 Nov 2014] 1.0.1 - Correction to paths in source Illustrator file; EN PDF regenerated
• [31 Oct 2014] 1.0 - First release

Colour Scheme 'Farringdon'

Other people's versions of Snakes and Ladders use a wide variety of designs and colour schemes. Thus to make a complete contrast to the edition for web applications, the colours used are the designatory colours of the underground and mainline train services that run through Colin Watson's local station at Farringdon in Clerkenwell, London EC1. The colours in 'Farringdon' are:

• Purple (future Crossrail)
• Yellow (Circle)
• White (Thameslink)
• Maroon (Metropolitan)
• Pink (Hammersmith & City)

You can see these colours on tube maps and station signage. The start square (1) is yellow and the final square (100) is maroon.

Why Snakes & Ladders?

The OWASP Top 10 is the most well known document, but OWASP has many other resources which provide better approaches for secure application development. In particular, there are some "top 10 controls" lists, and I wanted to highlight those. Creating a board game that features both risks and controls is a simple way to compare and contrast these aspects.

Players do not need to know either the risks or controls on the lists, since they are just the decoration to what is otherwise standard Snakes & Ladders. But as players land on assigned squares, this can be used to discuss the risks and controls they are labelled with.

Also, after undertaking some due diligence, it was noted that since Snakes & Ladders is such an ancient game it is not anyone's intellectual property and many others have already created thousands of different designs and versions. Other games would not meet this requirement.

How was the game created?

By hard work! Each list of risks and controls contains ten items, so the rough layout of snakes and ladder starting and end points was sketched out on paper, as shown for web applications on the right. Instructional text was written.

The concept was then converted into a layered Adobe Illustrator file, and the text and graphics added. This design went through a number of iterations to ensure it was legible and appealing. The PDF was exported and both the PDF and AI files added to the project page. When translations were provided, these were added as separate text layers in the source Illustrator file, and then new files uploaded again to the project.

Once Web Applications Snakes & Ladders was complete, the file was duplicated and edited for Mobile Apps. This has different risks, controls and arrangement of snakes and ladders. It also has its own colour scheme.

How can I participate in your project?

All you have to do is make the Project Leader aware of your available time to contribute to the project. It is also important to let the Leader know how you would like to contribute and pitch in to help the project meet its goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. Please see the road map and getting involved section

If I am not a programmer can I participate in your project?

Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for users, translators and people to promote the project.

Volunteers

Snakes and Ladders is developed, maintained, updated and promoted by a worldwide team of volunteers. The contributors to date have been:

• Ziyahan Albeniz
• Kembolle Amilkar
• Katy Anton
• Manuel Lopez Arredondo
• Fabio Cerullo
• Álan Carlos B. Eufrázio
• Tobias Gondrom
• Martin Haslinger
• Yongliang He
• Cédric Messeguer
• Takanori Nakanowatari
• Marcos Vinícius Nunes de Arruda
• Riotaro Okada
• Gabriel Pedro S. Peres
• Alison S. Ribeiro
• Ivy Zhang
• Colin Watson

Others

• The project leaders and contributors to the referenced controls and risks:
  • OWASP Proactive Controls
  • OWASP Top Ten
  • OWASP Mobile Security
• OWASP staff for helping to set up the project and support its ongoing activities.

Recently completed:

• Update web applications edition to Proactive Controls 2016 [EN recently completed]
• Translate into other languages [TR recently completed]
• Handouts at events

As of May 2017, the priorities are:

• Update as other referenced projects updated (e.g. Top Ten 2017)

Other ideas are:

• Promote use of Snakes and Ladders
• Develop other boards

Involvement in the development and promotion of Snakes and Ladders is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help are listed below.

Localization

Are you fluent in another language? Can you help translate Snakes and Ladders into that language?

The project is on Crowdin

Use and Promote the Board Game

Please help raise awareness of Snakes and Ladders:

• Use the game with your colleagues, friends, families, students and children
• Create video about how to play the game
• Develop a multi-user mobile app or web application to play the game

Feedback

Please use the project mailing list for feedback:

• How did you use it?
• What is people's reaction?
• What do like?
• What don't you like?
• What doesn't make sense?
• How could the guidance be improved?
• What other boards would you like to see?

Create a Board

Do you have an idea for your own application security Snakes and Ladders board? Please contribute your ideas via the mailing list.