Chef Launches New Version for DevSecOps Automated Compliance
18.10.2018 securityweek
Safety

Chef Software has announced the latest version of its InSpec compliance automation platform for DevSecOps. InSpec provides an open source high-level language to share security and compliance rules between development, security, and operations engineers. Compliance can be with internal security policy, infrastructure provisioning, and external regulatory requirements.

InSpec allows security and compliance requirements to be expressed in a common language for all groups. So, if the security group specifies that an application requires a mandatory access control system, this can be added to InSpec as a few lines of simple code. As the development proceeds, InSpec checks that all such specified requirements are included within the application.

"Due to the human-readable way InSpec code is written, we've had success getting buy-in from the non-technical decision makers, which has been crucial in supporting our transformation efforts," comments Hans Nesbitt, cloud engineer at Pacific Life.

Where there are external regulatory requirements, the method of fulfillment can be specified in the same high-level language, and the platform will check for its inclusion within the application as development proceeds. InSpec does not tell the development team how to conform to any particular requirement -- such as GDPR or PCI -- but ensures that the chosen method of compliance specified by the security team is included within the final product. This is done continuously throughout the development cycle to ensure that security is built into the product rather than added at the end.

"With InSpec as an integral part of our pipeline, explains Keith Walters, director of partner solutions for TapHere! Technology, "we are able to automatically test for security and compliance throughout the development process. The detailed visibility into our systems that InSpec provides enables us to drive towards an Automated ATO (Authority to Operate), or approval to push live. This accelerates how we deliver mission capabilities to our citizens and service members while adhering to our security requirements."

InSpec 3.0 adds a new plugin architecture; improved exception management; compliance with Hashicorp Terraform and Google Cloud Platform (GCP); and improved metadata.

The plugin architecture makes it easier for developers to extend their use of InSpec. Directly from InSpec it allows new custom resources to be included. Via the Train (TRAnsport INterface library) it can extend the process to include new device types and clouds, such as Digital Ocean and Alibaba. It also extends InSpec's compliance capabilities with native support for GCP.

"InSpec," says Nesbitt, "has helped us break down silos between the application developers, operations and security teams as we migrate to the cloud. It gives everyone confidence that we can automatically deploy and maintain infrastructure as code in a transparent, repeatable, and secure way."

The improved exception management allows InSpec controls to be skipped on nodes where they are unnecessary or simply not required. This could include specific devices that have the specified controls already built-in; where inclusion of those controls is not necessary, perhaps because the device is air-gapped; or where the addition of the controls could interfere with delicate operations and exclusion of the controls is defined as an acceptable risk.

Integration with Terraform has two primary components: 'Provisioning' runs InSpec tests after a 'terraform apply' operation for servers and clouds; and an InSpec Generator (known as 'Iggy') generates a starter set of InSpec controls by parsing an existing Terraform state file. "This is a big deal," adds Nesbitt, "because we will catch and prevent deployment of non-compliant infrastructure, which saves costs and enhances security."

The improved metadata on controls introduces a key-value description interface that allows more fine-grained reporting, and de-duplication of controls that satisfy one or more compliance regimes. For example, users can create custom metadata categories such as what compliance regime the control is for, and how to remediate or escalate the findings.

The difficulty tackled by InSpec is the maintenance of compliance across rapidly evolving hybrid IT strategies and ever-changing regulatory requirements. "InSpec 3.0," says Corey Scobie, SVP of product and engineering at Chef, "eases the path to compliance for both developers and operations teams, and helps accelerate enterprises' digital transformations by laying a solid foundation for cloud migration."