speed

InSpec is a tool that allows DevSecOps teams to create compliance automation in their infrastructure.

Our hands-on infrastructure and automation consulting services enable customers to use agile development processes – processes which enable you to get code from idea to production in a much faster and secure way.

I’m sure you’ve heard of infrastructure as code. It’s a common term coined to describe how DevOps teams stand up servers, networks and applications in a cloud environment. With a “single click” your entire infrastructure can be stood-up and configured in a repeatable and predictable way. It would make sense then that if we can do infrastructure as code, then DevSecOps should be able to master compliance as code. Enter InSpec, a tool from Chef that allows DevSecOps teams to create compliance automation in their infrastructure.

What is InSpec?

InSpec is an open source testing framework from Chef modeled after ServerSpec. InSpec takes many of the popular aspects from ServerSpec (static expressions, flexibility, and human readability) and builds upon them. Expanded resources, faster runtime, and cloud integration (new with InSpec 2.0) all enhance what ServerSpec already made great. But the aspect of InSpec that truly sets it apart is its compliance capabilities. Many DevOps teams understand the importance of test driven development, but many of them fail to enforce that same level of testing when it comes to infrastructure code.

With InSpec, a team can describe the desired state of infrastructure after convergence (integration testing in a nutshell). They can then expand on those tests by creating InSpec profiles which are shareable, extendable, and measurable. The end goal of InSpec is to address both security and compliance by testing your infrastructure in a repeatable fashion.

Using InSpec Profiles for Compliance

Your compliance team can be in control of what’s tested and reported. Not only is there already a robust community for sharing proven profiles, but Chef Automate ships with a number of CIS security benchmark profiles. Because these profiles are code, they can be shaped by your DevSecOps teams to best fit your environment. For example, say you have an upstream dependency that is blocking you from being compliant with a given benchmark. You can modify your control to account for this and log a story to fix it when you are able.

“Your compliance team can be in control of what’s tested and reported.”

Profiles also inherently have a defined criticality and descriptive metadata, and this can be changed to meet your company’s internal compliance requirements.

Why is Compliance as Code Important?

Using security or compliance as code helps to accelerate the adoption of DevSecOps. If your team can describe their infrastructure as code, then the security and compliance team should join your DevOps team by describing compliance and security as code. Taking the adaptive approach where DevOps and Security work together will help to ensure compliance and security checks in your organization.

We can immediately recognize value with automation and begin to recognize operational cost savings. When it comes time for audit, using a tool like InSpec should help to make your audit cycle faster and less expensive.

At New Context, our DevSecOps consultants perform hands-on and management consulting to help your business create a repeatable, more secure, compliant and consistent software release process. We work with customers to increase the velocity of software releases by using continuous deployment, continuous delivery and continous compliance pipelines.

InSpec Enables Agile Development Practices

At New Context, our hands-on infrastructure and automation consulting services enable customers to use agile development processes – processes which enable you to get code from idea to production in a much faster and secure way. If your organization would benefit from an assessment of your compliance architecture readiness, get in touch with us.