project overview

FOYS refers to managing all aspects of your sports. It is an integrated, modern platform that saves your volunteers and staff valuable time when managing your club or federation.

The FOYS platform is designed to support sports federations, clubs, and their members in the organisation, administration, and communication about their sports. The platform contains the personal details of thousands of people, and for the company. The scope of the project was to conduct a security audit of the Focus On Your Sport (FOYS) platform.

our approach

The security audit performed based on

• Information gathered from the first technical discussion with Yorick, Jochem, and FOYS Team members
• Additional meetings with Yorick and Technical Team
• Architecture Document
• API Documentation
• Database Shared
• Manual Code Review from Masterly Solutions
• Automatic testing of specific threat scenarios

The security audit was based on the Application Security Verification Standard (ASVS) version 4.0 of OWASP (Open Web Application Security Project). It covered the following areas

• Architecture, Design and Threat Modeling Verification
• Authentication Verification
• Session Management Verification
• Access Control Verification
• Validation, Sanitization, and Encoding Verification
• Stored Cryptography Verification
• Error Handling and Logging Verification
• Data Protection Verification
• Communications Verification
• Malicious Code Verification
• Business Logic Verification
• File and Resources Verification
• API and Web Service Verification
• Configuration Verification
• HTTP Security Headers Verification

Solution

We developed a new Security Audit Phases covering the following areas:

• Analysis of the current FOYS Platform architecture, interfaces, data flows, sensitive modules, and infrastructure.
• Information gathering from various sources – human and technical. This includes communications with technical people and management.
• Hands-on testing of various application scenario with respect to previously obtained knowledge and data flows scenarios.
• Automated testing of application code, web applications, and API using tools to find security vulnerabilities.
• A final and comprehensive report of the security review activity, summarizing the entire review process, the methodology, and the detailed findings.

Benefits

• Data Protection
• Audit Ready
• Gap Identification
• Risk Management