惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
人人都是产品经理
人人都是产品经理
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
T
The Exploit Database - CXSecurity.com
N
News and Events Feed by Topic
Latest news
Latest news
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
C
CXSECURITY Database RSS Feed - CXSecurity.com
IT之家
IT之家
V
V2EX
WordPress大学
WordPress大学
Apple Machine Learning Research
Apple Machine Learning Research
Cisco Talos Blog
Cisco Talos Blog
K
Kaspersky official blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
S
SegmentFault 最新的问题
小众软件
小众软件
A
Arctic Wolf
酷 壳 – CoolShell
酷 壳 – CoolShell
腾讯CDC
宝玉的分享
宝玉的分享
Last Week in AI
Last Week in AI
G
GRAHAM CLULEY
罗磊的独立博客
T
Tor Project blog
C
Cisco Blogs
美团技术团队
博客园 - Franky
月光博客
月光博客
博客园 - 三生石上(FineUI控件)
T
Threat Research - Cisco Blogs
Cyberwarzone
Cyberwarzone
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
有赞技术团队
有赞技术团队
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Security Latest
Security Latest
博客园 - 司徒正美
Hugging Face - Blog
Hugging Face - Blog
Spread Privacy
Spread Privacy
J
Java Code Geeks
C
CERT Recently Published Vulnerability Notes
大猫的无限游戏
大猫的无限游戏
S
Securelist
The Cloudflare Blog
博客园 - 叶小钗
D
Darknet – Hacking Tools, Hacker News & Cyber Security
阮一峰的网络日志
阮一峰的网络日志
雷峰网
雷峰网
Project Zero
Project Zero

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
Introducing a OWASP Game for threat modeling Agentic AI, Cloud, Devops, Frontend, LLM, Automation, and Web
Johan Sydset · 2026-05-11 · via DEV Community

Shift-left doesn't start with scanning the code for security vulnerabilities; it begins with designing for security.

Too often, the shift-left mantra consists of implementing (AI-powered) code scanning and applying AI-powered security fixes for remediation. Also, don't forget to implement the AI-powered benchmark for AI-powered Security Fixes. Now, to be clear, I am not actually telling you to stop using these tools — if they work for you — instead, we should ask ourselves:

  • What are we working on?
  • What can go wrong?
  • What are we going to do about it?
  • Did we do a good job?

OWASP Cornucopia v3.0

OWASP Cornucopia Website App Edition v3.0

In order to support that second question in particular, we have released the next version of OWASP Cornucopia v3.0.
If you would like to buy a professional physical copy of v3.0, you can do so at CyberSec Games. We would suggest buying the 25th anniversary edition as it also comes with both the Website App Edition 3.0 and the new OWASP Cornucopia Companion Edition, specifically made to be used together as an expansion. You can also download the design files from the release and take them to your local printer or print them yourself.

The 25th anniversay edition

OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams in identifying security requirements in Agile, conventional, and formal development processes. It is language, platform, and technology-agnostic.
The formerly titled “Cornucopia — Ecommerce Website Edition” was renamed in v2.0 to “Cornucopia — Website App Edition”. This edition was originally created in August 2012, released as v1.0 in February 2013, and has undergone several minor updates/releases over the following ten to fifteen years. This has been substantially updated in v2.0, in which the most noticeable change was an update of the OWASP ASVS mapping from ASVS v3.0 to v4.0, together with the creation of translations into six languages (EN, ES, FR, NL, NO-NB, and PT-BR) due to the efforts of past and current volunteers.

The new version, available in 11 languages (EN, ES, FR, HI, NL, NO-NB, PT-PT, PT-BR, RU, UK, IT), includes all new cards and text that cover all OWASP ASVS 5.0 requirements and links them to more than 200 unique common attack patterns (CAPEC™). Each of the common attack patterns will have a unique set of ASVS 5.0 requirements, which means that you never need to stop playing the game! You will always be able to return to the same card to discover new threats and security requirements to consider when building your software; that's the Cornucopia way.

We have also created an API where you can find, programmatically, all requirements connected to each card together with a complete mapping between CAPECs and ASVS 5.0 requirements so that you can automate your threat modeling and requirement analysis processes. If you want to know more about the latest additions to the Website App Edition v3.0, read all about it on our blog post "The Cornucopia of Gamified Threat Modeling"

OWASP Cornucopia Companion Edition v1.0

OWASP Companion Edition v1.0

Today, we are publishing a brand new OWASP Cornucopia Edition to complement the existing two editions. The OWASP Cornucopia Companion Edition v1.0 comes with 6 companion suits covering new topics: Agentic AI (AAI), Automated Threats (BOT), Cloud (CLD), Frontend (FRE), Large Language Models (LLM), and DevOps (DVO). A suit in the companion deck may replace (or be used in addition to) suits in the existing Website Edition so that the players can add a specific focus to their threat modeling: For example, say you are building an LLM application and want to perform threat modeling and security requirement analysis specifically for LLM. You would then use the OWASP Cornucopia Website Edition and the LLM companion suit as your elected OWASP Cornucopia focus area. The new version is immediately available online at copi.owasp.org and for sale at CyberSec Games. You can also download the design files from the latest release.

To commemorate the OWASP Foundation's 25th anniversary, we have also designed the case, leaflet, and cards specifically to celebrate the anniversary and OWASP's achievements within the field of application security and software engineering. We will also be attending the OWASP Global AppSec 2026 in Vienna, where we will be demoing the game for anyone who wants to come and play with us.

We feel this is only the start; each year, OWASP Cornucopia resellers distribute 1,000 games to teams worldwide. At copi.owasp.org, more than 500 users conduct threat modeling for mobile applications, agentic AI, automated threats, cloud, identity management, large language models, and SDL processes every month. In the coming time, we at OWASP Cornucopia will work towards promoting threat modeling and games to change the security culture at software companies worldwide.

Copi users

Why a companion edition?

Threat modeling isn't only for security people

The time when development teams could focus only on web development is long gone. Modern software development and sprint planning often include implementing integrations towards large language models, AI agents, and DevOps pipelines through full-stack development. In such an environment, security requirements are constantly shifting from sprint to sprint. Therefore, the only possibility is choosing an agile and collaborative approach to threat modeling that supports including a large number of people with various backgrounds, experiences, and knowledge.
The OWASP Cornucopia Companion Edition was created to accommodate this. A big, beautiful Excel document can never replace a collaborative approach to threat modeling that includes the opinions of everyone on the development team. To avoid having the threat modeling and security design processes become an exercise in superficial ISO compliance, you need to empower your development teams to work together to come up with a secure design. Such a process requires ingenuity, to think out of the box, and to make unpopular decisions that may affect the delivery schedule of a development project. Neither an Excel document nor an ISO 27001 policy will ever get a development team to do that.

Failing to regularly assess your security isn't only costly; it can leave you vulnerable to threats. Several companies have implemented OWASP Cornucopia as part of their SDLC and use it for security requirements analysis, threat modeling, and secure design for every sprint and every user story. You should do the same! Don't let your business spiral out of control; consciously assess how you are doing by continuously threat-modeling your applications and infrastructure. To get started scaling your threat modeling efforts, OWASP Cornucopia and its companion edition are the perfect tools.

We want to thank all project leaders and contributors to the OWASP projects who have provided valuable input and guidance on the OWASP Top 10, OWASP AISVS, OWASP MAS, OWASP Cumulus, OWASP Threat Dragon and the OWASP GenAI Security project. It's thanks to these projects, and many more, that we can deliver to you the OWASP gamified approach to threat modeling and requirement analysis.
We also want to thank the people and contributors to Mitre's Common Attack Pattern Enumeration and Classification (CAPEC™) and Atlas, together with CSA Cloud Controls Matrix, which are all used in the cross-references provided.

Walk that walk, talk that talk

With this latest version of OWASP Cornucopia, we are making it more than a game; it has become a fully fledged threat modeling tool. It doesn’t just feed into your threat modeling process; it drives it, and it doesn’t just work; it scales! A long-time project contributor, previously working at Banco de Crédito BCP, used OWASP Cornucopia to train hundreds of people in using OWASP Cornucopia for threat modeling.
Several companies, such as Admincontrol AS, a Euronext subsidiary, are using it as part of their custom development methodology and have made it the primary mechanism for structured threat elicitation.

"Continuous Gamified threat modeling", done the OWASP way, has been tested and proven to work and is generally welcomed by ISO auditors. Not only is it welcomed, but auditors also love to hear about how it can be used to create engagement and change the culture of the companies that make use of it. This, according to Admincontrol, which has been audited 4 times using all 97 controls from ISO 27001/27002 as part of their information security management system. "Continuous Gamified Threat Modeling" is about assisting software development teams in identifying security requirements in Agile, conventional, and formal development processes through continuous gamification and threat modeling for every feature and every release. Don't apologize for designing before coding, it's called thinking!

Don't apologize for designing before coding, it's called thinking!

And the developers? They love it! At the company I work for (Admincontrol), they always send out an anonymous survey to gather team feedback.
The aggregate score for how satisfied respondents have been with all sessions they've held since they started to use OWASP Cornucopia in 2023 is 4.5 out of 5, which is the maximum. When asked how relevant the session was to the participant's job, the average score was 4.7 out of 5.

Relevant for your job
How satisified are you?

The point here is not just to do your initial security risk assessment and be done with it, but to continuously look for new threats as you improve your software, in line with the Threat Modeling Manifesto.

"Continuous Threat Modeling", a term described in "Threat Modeling: A Practical Guide for Development Teams", is essential to keep your applications and infrastructure secure as you expand your system with new features and machines and increase the attack surface. Gamification can help you get started doing just that. So why would you want to continuously threat model your infrastructure and applications? Isn't it enough to just do a thorough check-up now and then? Admincontrol thought so as well!

Admincontrol used threat modeling to design its applications. They have large sessions that they run once a year and several smaller sessions for each sprint. They define Jira issues to mitigate these threats and assign them directly to the development team's backlog. Then they have security backlog grooming once a month with the product owners, where they discuss directly with them how they can resolve these issues.
The first graph shows the resolution time for Jira issues created during the annual threat modeling session. The second graph shows the resolution of Jira issues for the threat modeling they do each sprint.

Large Threat Modeling Sessions
Small Threat Modeling Sessions

As shown in the first graph, the resolution time is increasing. This is because they had Jira issues that were defined but never resolved. Some of the issues had taken nearly 3 years to resolve.
The second graph shows an increase in resolution time. This is because Admincontrol had a component that didn't get finalized. It stayed on the drawing board, but the threat modeling was done, so the resolution time spiked. There are no data prior to 2023, as they didn't keep this form of statistics before then. On average, the resolution time for the short threat modeling sessions were ca. 3 months. This usually coincided with the frequency of their minor releases, which included new features.

If you do long, large sessions, you run the risk of doing threat modeling irregularly, meaning you will have issues you will never be able to solve, and issues meant to improve security will stay in the development team's backlog forever, never to see the light of day. If you think technical debt is scary, wait until you see your security debt.

Sec Debt

OWASP Cornucopia welcomes any input or improvements you might be willing to share with us. For anyone wanting to share their opinion, please don't hesitate to visit our repository, share your feedback, and, if appropriate, give us a star⭐️.


OWASP is a non-profit foundation that envisions a world with no more insecure software. Our mission is to be the global open community that powers secure software through education, tools, and collaboration. We maintain hundreds of open source projects, run industry-leading educational and training conferences, and meet through over 340 chapters worldwide.