Chef InSpec 2.0 Puts the Security into DevSecOps

Automation and configuration-management company Chef has beefed up the capabilities of InSpec, its compliance automation solution designed to help keep compliance, security and DevOps teams all on the same page.
The newly-issued InSpec 2.0 provides cloud configuration testing for AWS and Microsoft Azure and AWS, more than 30 new conformance capabilities, and enhanced performance.
A whitepaper from the SANS Institute urges organizations to embrace security automation, saying, “For true DevSecOps to take hold, security teams will need to embed automated tests and validation of controls into the deployment cycle and monitor applications continuously in production with triggered responses that can roll controls back to a known good state, among other outcomes.”
InSpec enables compliance, security and DevOps teams to more clearly define security and compliance tasks by writing specific rules to automate them.
“It could be something like, ‘we have to have a mandatory access control system in our production environments,’” explained Julian Dunn, director of product marketing at Chef.
“That could be open to interpretation based on, for example, whether or not we’re a regulated company, are we applying this in all environments? Are we a Windows shop? A Linux shop? If we’re Linux what distribution are we running because it’s different for each. Think about this and multiply it across the thousands of requirements we want to put in place to ensure we’re secure.”
Security and compliance scans typically are left too close to production, which, if there are problems, means the software gets sent back to the beginning of the production cycle and everybody’s frustrated.
Too often, the business decides to make an exception — after all, it can’t miss the Christmas market window, for example — and insecure software is put into production, Dunn explained.
A recent Chef survey of more than 1,500 users found that 74 percent of the application, infrastructure and security teams assess software for compliance manually prior to production and half remediate manually. With manual processes, fixes take days (31 percent) or weeks (19 percent), instead of hours (18 percent).
InSpec enables the company to know up to the minute how secure and compliant it is are in all production environments, Dunn said.
The new capabilities:
- Cloud configuration compliance: Users can write custom compliance policies for AWS and Microsoft Azure or use pre-defined policies for regulations such as PCI, HIPAA and the Department of Defense. InSpec 1.0 was focused on security and compliance rules around individual machines, Dunn said.
Now users can validate cloud configurations, covering virtual machines, security groups, block storage, networking, identity and access management, and log management.
“You could still test with this stuff [in 1.0], but it was just a bit more gnarly from a user perspective,” Dunn said. “It provides a simpler level of abstraction so you can find out things like what Docker containers do you have running, what packages do you have running. We want to make sure our database doesn’t have the default database installed or the default user installed and we have strong passwords and we can see what systems are allowed to connect to this database server, make sure they’re using encryption.”
- New resources: Users can compliance rules for many common applications and configuration files without any programming knowledge for resources including Docker, security keys (RSA/DSA/x509), web server (IIS/nginx/Apache) configurations, packages (both system as well as Perl/R/etc.), PostgreSQL and MySQL database configurations, XPath matching in XML config files, ZFS storage pool configurations and more.
- New integrations: InSpec results can now be exported as JUnit format for integration into continuous delivery tools such as Jenkins, and can pull compliance profiles from Chef Automate. Previously-announced integration with Amazon Systems Manager (SSM) provides a frictionless on-ramp to InSpec in the cloud.
- Improved performance: InSpec 2.0 runs 90 percent faster than InSpec 1.0 on Windows and 30 percent faster on Linux, according to Chef.
“If you’re going to run it on a developer’s workstation and in a non-impactful way all the way up to and including production, it has to be pretty fast. So we’ve improved the performance of Inspec with a view to being able to do that,” Dunn said.
Chef’s introduced open source InSpec in 2015 as stand-alone software and announced incubation projects for AWS, Azure and vSphere for Chef Automate last May. The vSphere integration is still in the works, Dunn said, as well as other cloud providers accessible over APIs.
In November, it announced further integration with Amazon Web Services to improve compliance and containerized application lifecycle management after releasing in October its application packaging software-as-service Habitat Builder, built on its open source Habitat tool.
Chef is a sponsor of The New Stack.
Feature image via Pixabay.