By 
Makes it easier for DevOps teams to keep up with security and compliance.
Chef, a continuous automation vendor, has announced the latest edition of its compliance automation solution, InSpec. It’s the first step in Chef’s ‘Detect, Correct, Automate’ approach to cloud migration and continuous automation.
“InSpec provides an easy-to-learn, open-source path to incorporating security and compliance requirements as code directly with the delivery process, ensuring that applications and infrastructure are compliant every step of the way — not just at the end of the process,” said Marc Holmes, VP of marketing at Chef.
Living up to the mindset of ‘everyone is responsible for security’, InSpec 2.0, enables different teams within an organization to keep up with compliance issues throughout the lifecycle of an application, irrespective of where its running.
InSpec helps organizations maintain an up-to-date view of compliance status in production, detect security issues long before they reach production and reduce risk while delivering applications faster.
The new version offers cloud configuration testing for major cloud providers including Microsoft Azure and AWS. It provides more than 30 new conformance capabilities, including Docker, IIS, NGINX and PostgreSQL. It also offers enhanced integration with third-party tools and improved ease-of-use and customizability.
What is it: InSpec is an open-source framework for describing security and compliance rules that can be shared between software engineers, operations and security engineers. InSpec enables compliance at velocity at all stages of the software delivery process, from the developer’s workstation all the way to production, with no performance impact or side-effects. InSpec’s readability means it is easy to use and understand for all team members, including those whose roles involve minimal coding.
Why does it matter: Just look at the Verizon breach on AWS servers that exposed the critical data of over 14 million users.
Compliance is expensive, but violations are even more expensive. According to data provided by Chef, “PCI-related fines range from $5,000 to $100,000 per-incident, per-month; fines of up to $1.5 million can be applied for HIPAA violations. GDPR-related fines can rise as high as 20 million EUR, or four percent of a company’s annual revenue, whichever is higher. Still, processes and procedures for assessment and compliance remain ad-hoc, arbitrary and manual, in most cases.”
In a survey, Chef found that 74 percent of cross-functional application, infrastructure and security teams assess software for compliance manually prior to production. Manually! In most cases it could take weeks to detect and remedy security issues.
By automating compliance InSpec solves most of these problems.
What’s new: Some of the new capabilities of InSpec 2.0 include:
- Cloud configuration compliance: InSpec 2.0 gives users the ability to write compliance rules against cloud resources, including AWS and Microsoft Azure, with user-defined custom compliance policies.
- Improved user experience: InSpec 2.0 contains more than 30 new resources, allowing users to write compliance rules for many common applications and configuration files without requiring any programming knowledge. These include Docker, security keys (RSA/DSA/x509), web server (IIS/nginx/Apache) configurations, packages (both system as well as Perl/R/etc.), PostgreSQL and MySQL database configurations, XPath matching in XML config files, ZFS storage pool configurations and many more.
- New integrations: InSpec results can now be exported as JUnit format for integration into continuous delivery tools such as Jenkins and can pull compliance profiles from Chef Automate. Previously-announced integration with Amazon Systems Manager (SSM) provides a frictionless on-ramp to InSpec in the cloud.
- Improved performance: InSpec 2.0 runs 90 percent faster than InSpec 1.0 on Windows and 30 percent faster on Linux.
The background: Chef acquired InSpec via acquisition of VulcanoSec in 2015. Chef later released it as a standalone Open Source project.
