Merge pull request #1419 from OWASP/sydseter-patch-11

sydseter · web-flow · commit 4dcea898dc7b · 2025-06-25T16:35:34.000+02:00
Update post about Cumulus
diff --git a/cornucopia.owasp.org/data/news/20250623-threat-modeling-your-cloud-using-owasp-cumulus/index.md b/cornucopia.owasp.org/data/news/20250623-threat-modeling-your-cloud-using-owasp-cumulus/index.md
@@ -13,19 +13,19 @@ _The clouds can be a scary place. All these machines that simply aren't yours. S
 
 ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 
-As a variant of the card game [Elevation of Privilege](https://shostack.org/games/elevation-of-privilege) it follows the idea to threat model a system via gamification. This lightweight and low-barrier approach helps you find threats to your devOps or cloud project and teaches the developers a security oriented mindset.
+As a variant of the card game [Elevation of Privilege](https://shostack.org/games/elevation-of-privilege) it follows the idea of threat modeling a system via gamification. This lightweight and low-barrier approach helps you to find threats in your devOps or cloud project and teaches the developers a security oriented mindset.
 
 ## Threat Modeling
 
-The idea of threat modeling via serious games goes back to the card game [Elevation of Privilege](https://shostack.org/games/elevation-of-privilege "[external]") by Adam Shostack. The basic idea is to bring the developers on a table and get them start discussing the security of their system. For this, a card game serves as a guide through a catalogue of threats. It is designed to be low-barrier and naturally embeddable within agile development processes.
+The idea of threat modeling via serious games goes back to the card game [Elevation of Privilege](https://shostack.org/games/elevation-of-privilege "[external]") by Adam Shostack. The basic idea is to bring the developers to the table and get them to start discussing the security of their system. For this, a card game serves as a guide through a catalogue of threats. It is designed to be a low-barrier and naturally embeddable approach within agile software development processes.
 
-While we at [OWASP Cornucopia](https://cornucopia.owasp.org/) have been focusing on creating games focused on web- and mobile application security, we have felt that the specific needs of devOps team working in cloud environments have been missing. [OWASP Cumulus](https://owasp.org/www-project-cumulus/ "[external]") seeks to fill this gap and provides a custom card deck with threats to cloud systems.
+While we at [OWASP Cornucopia](https://cornucopia.owasp.org/) have been focusing on creating games focused on web- and mobile application security, we have felt that the specific needs of the DevOps team working in cloud environments have been missing. [OWASP Cumulus](https://owasp.org/www-project-cumulus/ "[external]") seeks to fill this gap and provides a custom card deck with threats for cloud systems.
 
 ## Continuously Assessing your Security 
 
-The point here is not do just do your initial security risk assessment and be done with it, but to continuously look for new threats on a regular basis as you expand your infrastructure according to the [Threat Modeling Manifesto](https://www.threatmodelingmanifesto.org/ "[external]").
+The point here is not just to do your initial security risk assessment and be done with it, but to continuously look for new threats on a regular basis as you expand your infrastructure according to the [Threat Modeling Manifesto](https://www.threatmodelingmanifesto.org/ "[external]").
 
-"Continuous Threat Modeling", a term described in ["Threat Modeling: A Practical Guide for Development Teams"](https://www.amazon.com/Threat-Modeling-Identification-Avoidance-Secure/dp/1492056553 "[external]") by Izar Tarandach (Author), Matthew J. Coles is essential to keep your applications and infrastructure secure as you expand them with new features and machines and increase the attack surface. Gamifications can help getting started doing just that. So why would want to continuous threat model your infrastructure and applications? Isn't it enough just to do a thorough and deep check up now and then? So we, at [Admincontrol](https://admincontrol.com/ "[external]"), thought as well!
+"Continuous Threat Modeling", a term described in ["Threat Modeling: A Practical Guide for Development Teams"](https://www.amazon.com/Threat-Modeling-Identification-Avoidance-Secure/dp/1492056553 "[external]") by Izar Tarandach, Matthew J. Coles is an essential technique to keep your applications and infrastructure secure as you expand them with new features and machines and increase the attack surface. Gamifications can help getting started doing just that. So why would want to continuous threat model your infrastructure and applications? Isn't it enough just to do a thorough and deep check up now and then? So we, at [Admincontrol](https://admincontrol.com/ "[external]"), thought as well!
 
 At Admincontrol we where using threat modeling to threat model our applications. We have been having a large session that we only are able to do once a year, and several small sessions that we do for each sprint. We define Jira issues meant for mitigating these threats and assign them directly to the development team's backlog. Then we have security backlog grooming once a month with the product owners and discuss directly with them how we can get these issues resolved.
 
