Chef updates open-source detection and evaluation tool to help organizations with security compliance in the cloud.
On Feb. 20, DevOps vendor Chef announced the latest edition of its open-source InSpec compliance tool to help accelerate and enable a DevSecOps approach to IT security.
The emerging discipline of DevSecOps (Developer Security Operations) involves using programatic contructs and automation to help improve and scale IT security. With InSpec 2.0, organizations can define policy profiles for IT infrastructure that is both on-premises and in the cloud.
„The major feature in InSpec 2.0 is the ability now to check for cloud compliance,“ Julian Dunn, Director of Product Marketing at Chef told eWEEK . „In other words, this evolves InSpec from its roots as a language for checking compliance of machines and allows it to check APIs.“
InSpec is an open-source tool, that has its roots in technology that Chef gained through the acquisition of VulcanoSec in November 2015. Dunn explained that when Chef first acquired the InSpec technology from VulcanoSec, it had just achieved relative parity with ServerSpec, upon which InSpec was originally based. He added that InSpec at the time of the Chef acquisition, was also not yet a standalone open-source project.
„Since we spun out InSpec as a separate tool, we’ve been adding many more out-of-the-box resources to allow for elegant expression of compliance checks,“ Dunn said. „For example, rather than using shell scripts to grep through various configuration file formats, we have language right within InSpec to do parsing of common formats like Apache configs or XML files and get the values you want without a lot of ceremony.“
InSpec is both the name of the tool and the domain-specific language in which compliance rules are written. A collection of InSpec rules is known as a profile. What Chef charges for is enterprise content and the dashboard.
„InSpec as a project doesn’t supply any content: users can write their own profiles or consume and customize ones from open-source sources like the Dev-Sec project ( dev-sec.io) or ones that users publish to the Chef Supermarket,“ Dunn said. „If they purchase Chef Automate, they have access to pre-written ones for common security baselines and get a subscription for new ones that we create.“
Chef Automate, is Chef’s flagship platform that debuted back in July 2016, as a technology to help organizations automate IT and developer process workflows. Dunn noted that InSpec is a detection and evaluation tool for machine and cloud correctness and it can work with any tool to correct configurations, be that Amazon CloudFormation, Azure Resource Manager or Terraform for cloud resources, or Chef, Puppet or Ansible for machine-level configurations.
Dunn explained that for organizations that use InSpec as part of a Chef Automate deployment, they benefit from real-time and historical dashboards of compliance status to help with operational security response, as well as to satisfy audit requirements. Additionally Chef Automate users have the ability to schedule remote compliance scans against infrastructure and capture those results into a report.
InSpec is not the only open-source project that aims to help with security compliance, the Open Security Content Automation Protocol (SCAP) is another such project, which is widely used. Dunn explained that SCAP is a specification for expressing and manipulating security data in standardized ways.
„The main challenge with SCAP is in the complexity of its architecture and the often-opaque data interchange formats involved,“ Dunn said. „SCAP documents are expressed in difficult-to-understand XML formats like XCCDF and OVAL and are not human-readable in contrast to InSpec.“
There are multiple compliance requirements that organizations can use InSpec to help automate. Checking to make sure that cloud storage resources are not publicly accessible is one use-case where Dunn said InSpec can help. InSpec may also be able to assist organizations to be compliant with the European Union’s General Data Protection Regulation (GDPR) which comes into effect on May 25. Dunn explained that like many compliance regimes, the application of GDPR is highly context-specific.
„It is still up to the customer to interpret the requirements and apply them to their situation,“ Dunn said. „InSpec can fill the gap, getting agreement between compliance, security, and IT on the rules for a particular situation.“
For example, GDPR makes statements about securing workstations on which EU citizen data is being handled. Dunn noted that InSpec would help a firm covered by GDPR agree on compliance controls for those workstations, which might include, for example, a complex password policy.
Looking forward, Dunn said the Chef will continue to extend the cloud compliance capabilities of InSpec in coming releases. Together with Chef Automate, Dunn said that the plan is to have more InSpec profiles to help organizations with named compliance regimes like PCI, HIPAA as well as improving the existing profiles to keep up with evolving requirements.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
