Continuous automation vendor, Chef, has announced the availability of InSpec 2.0, a new version of Chef's free open source tool. InSpec enables DevOps and cross-functional application, infrastructure and security teams to express security and compliance rules as code, and assess and remediate compliance issues through the entire software delivery life cycle.
InSpec 2.0, cloud configuration support for Amazon Web Services (AWS) and Microsoft Azure give users the ability to write compliance rules against cloud resources using APIs with user-defined custom compliance policies. The new version of the tool contains over thirty new resources, allowing users to write compliance rules for common applications and configuration files without requiring any programming knowledge. These include Docker, security keys (RSA/DSA/x509), webserver (IIS/nginx/Apache) configurations, packages (both system as well as Perl/R/etc.), PostgreSQL and MySQL database configurations, XPath matching in XML config files and ZFS storage pool configurations.
InSpec results can now be exported in JUnit format for integration into continuous delivery tools such as Jenkins, and compliance profiles can be pulled from Chef Automate. Previously announced integration with Amazon Systems Manager (SSM) further supports InSpec in the cloud. Several performance improvements are also available in the newest version; InSpec 2.0 runs 90% faster than InSpec 1.0 on Windows and 30 percent faster on Linux.
InSpec is built in the Ruby programming language, and can run on Windows and many Linux distributions, and also inside Docker containers. InSpec tests are intended to be human-readable and familiar to people who have used testing frameworks such as RSpec and ServerSpec.
InSpec approaches reaching compliance and security goals as a two-phase process referred to as detect and correct. The first phase, detect, is knowing where systems are potentially out of compliance or have potential security vulnerabilities. The second phase, correct, involves remediating the compliance failures identified in the detect phase. InSpec automates these phases.
An InSpec test is called a control, and controls are grouped into profiles. Typically InSpec is run from the CLI, and remotely on targets or the systems targeted for monitoring. InSpec works over the SSH protocol when scanning Linux systems and the WinRM protocol when scanning Windows systems; InSpec does not require software to be installed on the target system. InSpec profiles can be browsed on Chef Supermarket or from the InSpec CLI.
Jon Williams, CTO of niu Solutions, said:
InSpec has helped us unify our compliance, security and DevOps teams and streamlined audits, reducing the staff hours required and eliminating duplication of effort and data throughout the process. It has given these teams more control over compliance policies and enabled business units to be more active in maintaining their own environments. Most critically, it allows us to continually monitor for audit compliance, ensuring desired state and eliminating change drift between nodes.
InSpec was created via the acquisition of VulcanoSec, a German compliance and security firm that Chef purchased in 2015. InSpec 2.0 is open source and available for download on Github.