Chef InSpec 2.0 helps automate security compliance in cloud apps

How many times do you hear about a company exposing sensitive data because they forgot to lock down a data repository on Amazon? It happens surprisingly often. Chef wants to help developers and operations teams prevent that kind of incident. Today, the company released InSpec 2.0, which is designed to help automate applications security and compliance in the cloud.

InSpec is a free open source tool that enables development teams to express security and compliance rules as code. Version 1.0 was about ensuring that applications were set up properly. The new version extends this capability to the cloud where companies are running the applications, allowing teams to test and write rules for compliance with cloud security policy. It supports AWS and Azure and comes with 30 common configurations out of the box including Docker, IIS, NGINX and PostgreSQL.

Companies running multiple applications across multiple clouds face challenges in today’s continuous development environment. It’s actually fairly easy to leave that database exposed when it’s up to humans to continuously monitor if it’s in compliance or not.

Chef wants to help with that problem by offering a tool to automate compliance. It takes some work in getting the security, development and operations teams together to discuss what needs to be locked down, but once they come to an agreement, they can to use InSpec to write rules to validate proper cloud configurations using the InSpec scripting language.

Chef’s director of product marketing Julian Dunn says that anyone used to using scripting languages should be able to pick it up. “A language like InSpec allows customers to customize and write the rules specific to the cloud they are in and specific to their cloud deployment and check things they care about it,” he said.

Scripting language example. Code sample: Chef

“The language is designed to be easy to read and write. It’s intended for security engineering folks who don’t have programming background, but have scripting experience,” Dunn added. Once you write these scripts, you can run tests against your code, see which areas out of compliance and take steps to fix them.

InSpec was created via the acquisition of VulcanoSec, a German compliance and security firm that Chef purchased in 2015. InSpec 2.0 is open source and available for download on Github.