InSpec 3.0 Release: Features and What It Means to Be Compliant

DZone 's Guide to

InSpec 3.0 Release: Features and What It Means to Be Compliant

Want to learn more about the newest version of InSpec? Check out this post where we explore new features of InSpec 3.0 and what is means to be compliant.

· Security Zone ·
Free Resource

On Tuesday, October 16, Chef announced the release of InSpec 3.0, an open-source language designed to implement compliance rules and continuous automation across all systems.

InSpec is an open-source language used to describe and implement compliance rules that can be used by both DevSecOps teams and those with little or no programming experience. The language is designed to be universal and easy to use, making compliance audits and remediation easier and more efficient.

This version introduces enhancements to exception management, new workflow APIs, an improved plug-in architecture, and user experience, including support for Terraform, GCP, and metadata interface controls.

Julian Dunn, Director of Product Marketing at Chef, explains the major issues facing companies in regard to compliance and automation, saying, “One of the reasons we invented this technology is because of what a developer understands in terms of code quality, which is like, ‘well, if the test passed, then I'm good to go home for the day.’ Security compliance and automation typically aren't top priorities for developers, according to Dunn.

"But if you tell them, ‘here's a package of tests; these are the compliance tests,’ and as long as this stuff passes through the delivery pipeline and this flow is green by the time you're done with your work, you're good to go. You're security compliant — that's something that a developer can understand," Dunn said.

The solution to these problems, he explains, are answered in InSpec 3.0, providing additional support for larger, more complex systems. For example, this version makes it easier for teams to work on VMware and network devices than the previous framework, opening up the language to a wider variety of groups and systems.

Additionally, this version focused on cloud security. Previous versions of InSpec worked to provide support for servers and containers, according to Dunn, but this release allows security teams to test the entire cloud infrastructure, including storage buckets, network rules, and VPC setup.

What Does It Mean to Be Compliant?

Being compliant, according to Dunn, means that all teams are working together and following the same set of security procedures. Once these protocols are established, companies can work across all departments to make sure that they are successful and secure.

"Compliance is an activity that everybody needs to do — both your systems administrators who are already working more on the infrastructure side, as well as the application developers that are working, of course, on their code on the application side," says Dunn.

This is where InSpec 3.0 can help companies implement security protocols during all development stages through audits and automation. Not only does Dunn stress the importance of being compliant and holding teams to a set security standard but implementing these practices can reduce the risk for cross-functional security and DevSecOps teams.   

The primary goal for this third release is to provide additional support for enterprises that want to incorporate security and compliance audits, even if they do not have prior experience, explained Dunn.

"There's a big translation problem because there's ambiguity that then just leads to a lot of disagreements about what it actually means to be compliant," he said, adding, "What ends up happening is disagreements that slow down a company, where people just ignore it in the rush to get products to production… this is a language where everybody can agree on what it actually means to be secure and compliant."

For more information, check out the Chef blog.

security ,devsecops ,inspec ,chef ,inspec 3.0 ,news ,compliance ,cloud security ,exception

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}