Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Chef Launches New Version for DevSecOps Automated Compliance

Chef Software has announced the latest version of its InSpec compliance automation platform for DevSecOps. InSpec provides an open source high-level language to share security and compliance rules between development, security, and operations engineers. Compliance can be with internal security policy, infrastructure provisioning, and external regulatory requirements.

Chef Software has announced the latest version of its InSpec compliance automation platform for DevSecOps. InSpec provides an open source high-level language to share security and compliance rules between development, security, and operations engineers. Compliance can be with internal security policy, infrastructure provisioning, and external regulatory requirements.

InSpec allows security and compliance requirements to be expressed in a common language for all groups. So, if the security group specifies that an application requires a mandatory access control system, this can be added to InSpec as a few lines of simple code. As the development proceeds, InSpec checks that all such specified requirements are included within the application.

“Due to the human-readable way InSpec code is written, we’ve had success getting buy-in from the non-technical decision makers, which has been crucial in supporting our transformation efforts,” comments Hans Nesbitt, cloud engineer at Pacific Life.

Where there are external regulatory requirements, the method of fulfillment can be specified in the same high-level language, and the platform will check for its inclusion within the application as development proceeds. InSpec does not tell the development team how to conform to any particular requirement — such as GDPR or PCI — but ensures that the chosen method of compliance specified by the security team is included within the final product. This is done continuously throughout the development cycle to ensure that security is built into the product rather than added at the end.

“With InSpec as an integral part of our pipeline, explains Keith Walters, director of partner solutions for TapHere! Technology, “we are able to automatically test for security and compliance throughout the development process. The detailed visibility into our systems that InSpec provides enables us to drive towards an Automated ATO (Authority to Operate), or approval to push live. This accelerates how we deliver mission capabilities to our citizens and service members while adhering to our security requirements.”

InSpec 3.0 adds a new plugin architecture; improved exception management; compliance with Hashicorp Terraform and Google Cloud Platform (GCP); and improved metadata.

The plugin architecture makes it easier for developers to extend their use of InSpec. Directly from InSpec it allows new custom resources to be included. Via the Train (TRAnsport INterface library) it can extend the process to include new device types and clouds, such as Digital Ocean and Alibaba. It also extends InSpec’s compliance capabilities with native support for GCP.

“InSpec,” says Nesbitt, “has helped us break down silos between the application developers, operations and security teams as we migrate to the cloud. It gives everyone confidence that we can automatically deploy and maintain infrastructure as code in a transparent, repeatable, and secure way.”

Advertisement. Scroll to continue reading.

The improved exception management allows InSpec controls to be skipped on nodes where they are unnecessary or simply not required. This could include specific devices that have the specified controls already built-in; where inclusion of those controls is not necessary, perhaps because the device is air-gapped; or where the addition of the controls could interfere with delicate operations and exclusion of the controls is defined as an acceptable risk.

Integration with Terraform has two primary components: ‘Provisioning’ runs InSpec tests after a ‘terraform apply’ operation for servers and clouds; and an InSpec Generator (known as ‘Iggy’) generates a starter set of InSpec controls by parsing an existing Terraform state file. “This is a big deal,” adds Nesbitt, “because we will catch and prevent deployment of non-compliant infrastructure, which saves costs and enhances security.”

The improved metadata on controls introduces a key-value description interface that allows more fine-grained reporting, and de-duplication of controls that satisfy one or more compliance regimes. For example, users can create custom metadata categories such as what compliance regime the control is for, and how to remediate or escalate the findings.

The difficulty tackled by InSpec is the maintenance of compliance across rapidly evolving hybrid IT strategies and ever-changing regulatory requirements. “InSpec 3.0,” says Corey Scobie, SVP of product and engineering at Chef, “eases the path to compliance for both developers and operations teams, and helps accelerate enterprises’ digital transformations by laying a solid foundation for cloud migration.” 

Related: Automated Compliance Testing Tool Accelerates DevSecOps 

Related: Neglected Step Child: Security in DevOps 

Related: SecOps: The Roadkill Victim of DevOps’ Need for Speed 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.