Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

InSpec 2.0 Delivers Compliance at Velocity to Accelerate DevSecOps

DZone's Guide to

InSpec 2.0 Delivers Compliance at Velocity to Accelerate DevSecOps

Open source compliance automation reduces assessment and remediation time by up to 95 percent when compared to manual processes.

· DevOps Zone ·
Free Resource

DevOps involves integrating development, testing, deployment and release cycles into a collaborative process. Learn more about the 4 steps to an effective DevSecOps infrastructure.

Thanks to Julian Dunn, Director of Product Marketing and Dominick Richter, Senior Product Manager of Chef for introducing me to InSpec 2.0, a compliance automation solution that accelerates DevSecOps by allowing cross-functional application, infrastructure and security teams to assess and remediate compliance issues from development through the entire software delivery lifecycle.

InSpec 2.0 provides cloud configuration testing (including Microsoft Azure and AWS), more than 30 new conformance capabilities (including Docker, IIS, NGINX, and PostgreSQL), enhanced integration with third-party tools and improved ease-of-use and customizability.

InSpec is the first step in Chef’s “Detect, Correct, Automate” loop approach to cloud migration and continuous automation. It helps organizations maintain an up-to-date view of compliance status in production, detect security issues long before they reach production and reduce risk while delivering applications faster.

An open-source framework for describing security and compliance rules that can be shared between software engineers, operations, and security engineers, InSpec enables compliance at velocity at all stages of the software delivery process, from the developer’s workstation all the way to production, with no performance impact or side-effects. InSpec’s readability means it is easy to use and understand for all team members, including those whose roles involve minimal coding, thus providing the opportunity for collaboration between compliance, security, and DevOps.

New Capabilities

  • Cloud configuration compliance: InSpec 2.0 gives users the ability to write compliance rules against cloud resources, including AWS and Microsoft Azure, with user-defined custom compliance policies. 

  • Improved user experience: InSpec 2.0 contains more than 30 new resources, allowing users to write compliance rules for many common applications and configuration files without requiring any programming knowledge. These include Docker, security keys (RSA/DSA/x509), webserver (IIS/nginx/Apache) configurations, packages (both system as well as Perl/R/etc.), PostgreSQL and MySQL database configurations, XPath matching in XML config files, ZFS storage pool configurations and many more. 

  • New integrations: InSpec results can now be exported as JUnit format for integration into continuous delivery tools such as Jenkins and can pull compliance profiles from Chef Automate. Previously-announced integration with Amazon Systems Manager (SSM) provides a frictionless on-ramp to InSpec in the cloud. 

  • Improved performance: InSpec 2.0 runs 90 percent faster than InSpec 1.0 on Windows and 30 percent faster on Linux.

According to Dominick, engineers like InSpec 2.0 because it lets them see how all of the different pieces fit together while developers have a higher degree of automation to scale up with no surprises. Solutions are easier to manage like cloud and container.

“InSpec has helped us unify our compliance, security and DevOps teams and streamlined audits, reducing the thousands of staff hours usually required by as much as 95 percent and eliminating duplication of effort and data throughout the process,” said Jon Williams, CTO of niu Solutions. “It has given these teams more control over compliance policies and enabled business units to be more active in maintaining their own environments. Most critically, it allows us to continually monitor for audit compliance, ensuring the desired state and eliminating change drift between nodes.”

“InSpec 2.0 builds on our commitment to build the essential tools and services needed for modern application teams to truly deliver on the promise of DevSecOps, fully integrating security with development and deployment for traditional and cloud-native software delivery,” said Marc Holmes, VP of marketing at Chef. “InSpec provides an easy-to-learn, open-source path to incorporating security and compliance requirements as code directly with the delivery process, ensuring that applications and infrastructure are compliant every step of the way -- not just at the end of the process.”

Industry and government regulations are increasing in number, complexity, and impact. With notable efforts ranging from PCI in retail to HIPAA in healthcare, to GDPR for personal data in EU, their reach is broad and the costs for non-compliance high. PCI-related fines range from $5,000 to $100,000 per-incident, per-month1; fines of up to $1.5 million can be applied for HIPAA violations2 and GDPR-related fines can rise as high as 20 million EUR, or four percent of a company’s annual revenues, whichever is higher3. Still, processes and procedures for assessment and compliance remain ad-hoc, arbitrary and manual, in most cases.

As a recent report from Gartner4 notes, “Manual processes are complex and tedious… Human error threatens not only regulatory compliance obligations but business outcomes. Auditors favor the consistency and traceability of automated systems that have strong logging capabilities and transparent auditable controls… With increased automation, management oversight, including detection and incident response, is simpler, faster and can be tested on demand by auditors with less stress for I&O.”

A recent survey of more than 1,500 users conducted by Chef found that 74 percent of cross-functional application, infrastructure, and security teams assess software for compliance manually prior to production. Once violations and vulnerabilities are discovered, half remediate manually instead of automating the process. Manual processes result in teams’ detecting and remediating security issues in days (31 percent) or weeks (19 percent), instead of hours (18 percent).

As a recent paper5 from SANS Institute notes, "To scale in a large hybrid or public cloud, security will need to embrace automation, a concept that many security practitioners have been loath to embrace. For true DevSecOps to take hold, security teams will need to embed automated tests and validation of controls into the deployment cycle and monitor applications continuously in production with triggered responses that can roll controls back to a known good state, among other outcomes."

1http://www.focusonpci.com/site/index.php/pci-101/pci-noncompliant-consequences.html

2https://www.ama-assn.org/practice-management/hipaa-violations-enforcement

3https://www.eugdpr.org/key-changes.html

4Gartner, How [H1] to Avoid Compliance and Audit Concerns When Using DevOps Published: 17 November 2017 ID: G00337518

5 https://www.sans.org/reading-room/whitepapers/analyst/devsecops-playbook-36792

Read the 4-part DevOps testing eBook to learn how to detect problems earlier in your DevOps testing processes.

Topics:
devops ,devsecops

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}