Security / Observability

Chef InSpec 3.0: Wider, Deeper on Automated Compliance

16 Oct 2018 10:52am, by

Automation vendor Chef continues to build out its InSpec compliance tool with an eye toward making it easier to use and its reach deeper, especially in highly mixed environments.

InSpec 3.0, released today, introduces plug-in architecture, improved exception management and automated compliance for Terraform, the open source tool that codifies APIs into declarative configuration files that can more easily be shared among team members.

InSpec is an open-source language for describing security and compliance rules designed to be used at all stages of the software delivery process with no side-effects on that process.

“Establishing and maintaining compliance across heterogeneous environments is a daunting task, made more so by ever-shifting regulatory requirements alongside rapidly-evolving hybrid IT strategies,” Chef’s Corey Scobie, senior vice president of product and engineering, said at the rollout.

The new features in InSpec 3.0:

  • Plug-in architecture, available for both InSpec and Train, the TRAnsport INterface library on which InSpec was built, widens the range of communication protocols and resource types that can be developed for use with InSpec.
  • Revamped exception management makes it easier to skip the execution of certain InSpec controls on specific nodes and to keep track of acceptable failures to improve core audit and remediation capabilities and minimize confusion.
  • Workflow-enhancing APIs, a stable API between profiles — groups of compliance tests similar to Chef Cookbooks — and attributes — the data that enables users to modify how tests are conducted. Improvements to the packaging (vendoring) mechanism for profiles allows developers to more easily iterate on InSpec profiles with dependencies.
  • Compliance for Terraform: This provisioner plugin can be executed during a Terraform run to validate the state of virtual machines and cloud infrastructure in a single operation. In addition, Inspec-Iggy (“InSpec Generator,” or I.G.) enables users to generate compliance controls from a Terraform state file.
  • Compliance for Google Cloud Platform, providing native support for GCP as a plug-in. It also offers premium InSpec content in Chef Automate to support Center for Internet Security (CIS) benchmarks for GCP to ensure compliance across cloud applications and infrastructure.
  • Improved metadata interface on controls: InSpec 3.0 introduces a key-value based description interface, allowing for more fine-grained tracking as well as de-duplication of controls for enhanced compliance reporting. It also allows users to create their own metadata categories to suit their own reporting needs.

InSpec originated for testing operating systems and node configurations and services, but with the release of InSpec 2 in February, expanded to full-stack testing of infrastructure fleets. InSpec 2 added support for testing configurations in cloud environments such as Microsoft Azure and AWS, plus speed and tooling improvements. It enabled developers to use Automate as a source for compliance profiles, storing InSpec reports for both compliance and security audits, and the ability to export reports in JUnit format for integration into CI/CD tools like Jenkins.

At the same time, Chef has been moving from an infrastructure focus to more of an app-centric view. As Dominik Richter, senior product manager at Chef, explained in an episode of The New Stack Makers, as applications move between environments, the security and compliance rules set up for them need to move with them.

In another episode, AWS’s Jonathan Weiss, senior software development manager, and Mark Rambow, software development manager talked about how Chef enables them to operate at scale in a container-based world.

Automation continues to grow for testing and security, yet usage remains low, according to the World Quality Report 2018-2019. The survey of 1,700 IT decision makers found just 16 percent of performance test cases are executed with test automation tools, with a similar percentage for security tests.

And more than half of CIOs and CCOs in at KPMG survey said they are not automating compliance and just 1 in 5 have a well-defined strategy to do so.

While companies are automating routine operational tasks to gain efficiency and cut costs, according to KPMG’s Amy Matsuo, “The next step is for organizations to pivot from using automation in operational processes to deploying it for compliance analytic and predictive purposes. To do so, they must first prioritize compliance activities that can be automated while setting expected returns on investment.”

Chef is a sponsor of The New Stack.

Feature image via Pixabay