Scaling Software Security tools across FanDuel

It’s been an eventful and exciting eight months at FanDuel, and I find myself surprised at how time flies! Leading the Software Security team, I’ve focused on expanding the Application, Product, and Cloud Security teams from 5 to 12 members, supporting various FanDuel products. In the sports-tech entertainment industry, Software Security is crucial for safeguarding our reputation, gaining a competitive edge, and staying ahead of evolving threats.

Leading the Application Security team is such a thrill: it’s a fast-paced, high-performing team consistently delivering impactful work in a short time span. When I started, I established three key principles:

• Delivery of incremental value to the business: “Deliver value early and often.”
• Comprehensive measurement of all relevant metrics: “Measure all the things.”
• Definition of what constitutes as good in our context: “What does ‘Good Look like?”

Fresh from my previous role, where we built a code scanning platform, I embraced the idea of an abstraction layer orchestrating scans independently of underlying tools. This approach, offering flexibility and ensuring a consistent developer experience without vendor lock-in, shaped my perspective.

As Application Security came together, we discussed some of the challenges in the Software Development Lifecycle (SDLC) and started brainstorming how to best fill those needs. We had a few options to consider. One was exploring an open-source solution that gave us a solid starting point and the chance to give back to the project. Another option was ruled out as we felt it wasn’t cost effective. The third choice was to build something entirely new. After some thoughtful discussions, the team leaned towards creating a solution tailored just for FanDuel, something we could eventually share with the open-source community.

Our initial focus involved implementing secrets scanning to scrutinize code at rest, uncovering any confidential information in our repositories. Despite exploring vendor options, we concluded that building our solution would be more cost-effective and faster. Beyond cost and speed benefits, crafting our solution allowed tailoring to specific requirements and integrating various scanning types as needed.

We defined our problem statement by asking these questions:

• What patterns exist across the source code repositories at FanDuel?
• What patterns should exist? (ideal state)
• How aligned are the current patterns with our ideal state?

Chronos, our new platform, emerged from these efforts, designed to deliver value quickly based on our key principles. It allows us to write Security Development Lifecycle (SDL) checks for orchestrating scans or measuring SDLC maturity. With SDL checks running across the entire FanDuel GitHub organization or integrating into a single repo for fast feedback, Chronos makes security engineering easy by defining and upholding best practices.

Chronos includes SDL checks for software composition analysis (SCA) on Java and NodeJS, checking Dependabot status, and scanning for secrets via Trufflehog. With parallelization, it swiftly scans all GitHub repositories, forwarding results to Datadog for metric tracking. Integrating Chronos with Semgrep, we have SCA integrated, with an active project to add Semgrep Code for static application security testing (SAST).

One of the first challenges we solved internally using Chronos was building out our own SCA scanning capabilities using only open source tools. We received feedback from our developers that Github’s Dependabot was not finding vulnerabilities in our Java Maven or Gradle repositories. We decided to solve this using Chronos to use CycloneDX to generate a Software Bill of Materials (SBOM) for a given repo and then process the SBOM output through a tool called grype.

Grype can annotate the vulnerabilities into the SBOM so now we have a full list of packages with dependencies along with the vulnerabilities for all the packages used with the Java repository. We can leverage the SBOM output not only to send metrics to Datadog but also to annotate these metrics with the DataDog service catalog. This annotation capability enables us to break down team, vertical, domain, tier of service, etc. Additionally, the vulnerabilities can be sent directly to our vulnerability management system, aiding in routing these findings to the appropriate Jira board. As we integrate new tools we want to continue to use the CycloneDX SBOM format as a common way to get metrics and vulnerabilities into the right hands for remediation.

The team has also developed an SDL check for secrets using Trufflehog that will allow developers to be proactive by scanning commits for secrets after pushing them to GitHub. The check runs on every push but the real value here is that we are using our CI/CD annotations and pull request comments as a feedback mechanism.

Chronos, was designed by David Volm, an Application Security Engineer on the team. FanDuel are hosting the Atlanta chapter OWASP meetup at our Atlanta offices on February 27th, where David will be presenting a deep dive on Chronos. Please come along to hear more. Additionally, we’re exploring making Chronos available via open source in the near future. Stay tuned for more updates!