OWASP Cornucopia Online And Mobile

Toby Irvine

Our online threat modelling system, Copi, is now an open source OWASP project and the Cornucopia team have released a new deck for mobile apps!

This week, the OWASP Cornucopia project announced some significant updates, and I’m proud to have contributed one. I like to tell a story, though, so first a bit of history.

At Secure Delivery, we’ve always used the card games Cornucopia and Elevation of Privilege and love the agile approach to threat modelling that puts development teams at the heart of uncovering security issues in their systems. Three years ago, in May 2021, a global pandemic was making it pretty damn hard to sit in a room together and play cards. It was also making other things difficult, like getting hold of toilet paper for some reason, but there wasn’t much I could do about that.

On May 25th, after looking around to see if someone had already done the hard work, I pushed the first code to a repo for an online version of these card games and called it Copi. It would be an easy-to-access system: just create a game, share the link with your team, jump on a call, and start revealing security issues in your software. No registration, no nonsense.

Copi hits 5000 players in March 2024

Fast-forward a few years and 5,000 players(!) later, the OWASP Cornucopia team was working hard on updating the web application deck and introducing a new deck for threat modelling mobile apps. Xavier Godard and Johan Sydseter wanted an online version of the game to get the updates into everyone’s hands much more quickly and were looking around to see if someone had already done the hard work. They were luckier than me (maybe…) and found Copi.

Thankfully, the fact that I had created Copi with Elixir and Phoenix didn’t put them off. We worked together to get the latest decks into the system and give it a shiny new look that feels more appropriate for being the official OWASP Cornucopia online system. Secure Delivery provides a hosted version and has released the code under a FOSS license, the GNU AGPL. You can threat model with Copi and get the code (if you’re interested) at:


A screenshot of the Copi homepage

I’m very thankful to Xavier and Johan for reinvigorating my love for working on Copi. We’ll be releasing plenty of new features and improvements in the coming weeks and months, but we’ll always keep it simple to get started. You should get started.

If you’re responsible for delivering digital products, services, software systems, applications, smart connected devices, pretty much anything technological and you’d like some help in making sure that everything is as secure as it needs to be then use our contact form below and we’ll get in touch for a chat.

Get in touch

We'd love to hear from you. Let's start your journey to world-class secure software product delivery today!

Secure Delivery
Office 7, 35/37 Ludgate Hill