DEVOPSdigest

Chef announced significant updates to its InSpec by Chef compliance automation platform, including a new plugin architecture, greatly improved ease-of use, improved exception management and automated compliance for Terraform.

InSpec 3.0 greatly increases the velocity of compliance audits and remediation, while reducing risk for cross-functional security, development and operations (DevSecOps) teams and their organizations.

InSpec is an open-source language for describing security and compliance rules that can be shared between software engineers, operations and security engineers. Unlike other products, InSpec is designed to be used at all stages of the software delivery process, from developers’ workstations to production, allowing companies to achieve continuous compliance with no performance impact or side-effects. In contrast to other compliance languages, InSpec is designed to be easy-to-use, even by users with no background in programming.

New features in InSpec 3.0 designed to enhance the developer experience include:

- New plugin architecture: The InSpec 3.0 plugin architecture makes it easier for developers to extend InSpec for use with a broader variety of systems in need of compliance automation. Available for both InSpec and Train (Transport Interface Library), the plugin architecture allows for both pluggable communication protocols as well as new resource types in InSpec to be easily developed.

- Improved exception management: Exception management is challenging both in terms of the ability to skip the execution of certain InSpec controls on specific nodes (e.g., those with compensating controls) and the ability to keep track of acceptable failures (i.e., where controls are not skipped but the failures are acceptable). InSpec 3.0 enables both actions, streamlining processes and outcomes to facilitate core audit and remediation capabilities while minimizing confusion.

- Workflow-enhancing APIs: InSpec 3.0 allows developers to more easily author new resources -- classes of “things” that can be tested on a system or a cloud. This includes the introduction of a new, stable API between profiles -- groups of compliance tests similar to Chef Cookbooks -- and attributes -- the data that enables users to modify how tests are conducted. Improvements to the packaging (vendoring) mechanism for profiles allows developers to more easily iterate on InSpec profiles with dependencies.

InSpec 3.0 features designed to improve user experience, especially in highly mixed environments, include:

- Compliance for Terraform: A provisioner plugin for Terraform allows InSpec to be executed during a Terraform run in order to validate the state of virtual machines as well as cloud infrastructure in one seamless operation. InSpec 3.0 also provides InSpec-Iggy ("InSpec Generator", or I.G.) which allows users to generate compliance controls from a Terraform state file. Both of these features extend compliance into a new domain, allowing provisioning-as-code to be properly validated for compliance whenever changes are proposed to it.

- Compliance for Google Cloud Platform (GCP): Native support for GCP, using InSpec 3.0’s new plugin architecture, further extends InSpec’s cloud compliance capabilities. Premium InSpec content in Chef Automate to support the Center for Internet Security (CIS) benchmarks for GCP helps customers get started quickly to ensure compliance across cloud applications and infrastructure. The CIS has certified Chef as the first compliance automation vendor implementing the CIS GCP Benchmark.

- Improved metadata interface on controls: InSpec 3.0 introduces a key-value based description interface, allowing for more fine-grained reporting as well as de-duplication of controls that satisfy one or more compliance regimes. This allows users to create custom metadata categories, e.g., what compliance regime or regimes a control is for, how to remediate a finding, or how to escalate the finding.

“Establishing and maintaining compliance across heterogeneous environments is a daunting task, made more so by ever-shifting regulatory requirements alongside rapidly-evolving hybrid IT strategies,” said Corey Scobie, SVP of Product and Engineering at Chef. “InSpec 3.0 further eases the path to compliance for both developers and operations teams, and helps accelerate enterprises’ digital transformations by laying a solid foundation for cloud migration.”