Chef’s Dominik Richter on Making Infrastructure-as-Code Compliant
The immediate benefit of virtualizing all the resources that collectively constitute the infrastructure of your data center, as Chef has professed since its beginnings as OpsCode, is to address those resources programmatically and build systems with code. Which is nice, but the moment that happens, you and your fellow developers may notice the compliance department asking for a meeting at your earliest convenience.
Indeed, that’s exactly what happened with Chef’s engineers.
“When the auditors came in and the security people,” described Dominik Richter, Chef’s head of compliance, in an interview with The New Stack’s Alex Williams, “we noticed there’s something that we could also do that we hadn’t thought about before, which is security and compliance testing.”
It wasn’t exactly an act of leveraging the power that was already in Chef, because it wasn’t. Richter and his colleagues had previously built a product called VulcanoSec, for automated security and compliance testing. The VulcanoSec product and team were acquired by Chef in 2015, and their work was re-released as InSpec, as part of the Chef Compliance suite. As Richter wrote at that time, the inspiration behind their work was a behavior-driven extension for Ruby called RSpec, which enabled a script developer to express the state of infrastructure resources not as declarations but instead as expectations — descriptions of the way things should be, if everything goes well. Which it doesn’t always.
Richter spoke with Williams for this latest edition of The New Stack Makers podcast, from the ChefConf 2017 conference in Austin, Texas.
“You know, in the old days,” said Richter, “security people went into their systems, they were opening up these very complex configuration files, and then they were looking with a regular expression [RegEx] whether they found that pattern somewhere in that file. The problem with that is, it doesn’t always work, and these config files are very complex at times. InSpec hides that complexity from you; it will just give it to you as an object, and you can just say, ‘Hey, in my MySQL server, is it actually running with a secure configuration or not?’”
Listen now to InSpec: Human Readable, Automated Compliance, the latest edition of The New Stack Makers podcast from ChefConf 2017.
1:43: Continuous automation as a theme and how InSpec fits into that.
4:00: Looking at InSpec today.
6:37: How InSpec has abstracted its infrastructure.
13:15: What InSpec is improving in its syntax through testing to make it more usable.
15:01: Discussing the next generations of the language that InSpec is building.
21:23: Building intelligence into the InSpec algorithm with Chef Habitat.