IT Science Case Study: How Chef Cooked Up Better Security

Chef is an innovative, fast-moving company that is driven by speed to market using a DevOps approach to engineering. It needed a better security system, and it found one.


This is the latest article in a new occasional feature series in eWEEK called IT Science, in which we look at what really happens at the intersection of new-gen IT and legacy systems.

Unless it’s brand new and right off various assembly lines, servers, storage and networking inside every IT system can be considered “legacy.” This is because the iteration of both hardware and software products is speeding up all the time. It’s not unusual for an app-maker, for example, to update and/or patch for security purposes an application a few times a month, or even a week. Some apps are updated daily! Hardware moves a little slower, but manufacturing cycles are also speeding up.

These articles will describe industry solutions only and won’t focus on any single product. The idea is to look at real-world examples of how new-gen IT products and services are making a difference in production each day. Most of them will be success stories, but there will also be others about projects that blew up. We’ll have IT integrators, system consultants, analysts and other experts helping us with these as needed.

Today’s IT Science Feature: Platform-as-a-Service Provider Chef

This article is about DevOps tool provider Chef. Chef is an innovative, fast-moving company that is driven by speed to market using a DevOps approach to engineering. Chef makes an automation platform that transforms infrastructure into code.

Name the problem to be solved: The engineering group required a security solution that could scale with their business. Due to a high volume of requests, previous web application firewall (WAF) evaluations had shown the risk of false positives to be very high.

As a transformation solution, Chef helps customers embed more effective security throughout their entire development cycle.

Describe the strategy that went into finding the solution: Chef’s development and operations teams required more visibility into the changing vulnerabilities and attack vectors across their applications. They knew that in order to help other organizations achieve business transformation, they needed to embed scalable security into their own application delivery pipeline.

Chef searched for a security solution to provide a full spectrum of security visibility and ease of use for their developers without negatively impacting performance. Chef required security at the speed of DevOps.

Chef’s development and operations teams chose Signal Sciences because “everything just works brilliantly.” Signal Sciences allows a company with limited security bandwidth to seamlessly embed security across teams throughout its entire DevOps process.

List the key components in the solution: In order to resolve its challenges, Chef required a technology that had:

  • minimal impact on performance. Because Chef is an organization that requires high performance to keep up with their customers’ innovation and speed, it was critical that any added security solution provide security without negatively impacting the development lifecycle;
  • no additional overhead, maintenance, and training. One of Chef’s biggest priorities is avoiding additional burden to the engineering and security teams. It was important that they find a security solution that was easy to use without adding additional security resources; and
  • eliminated false positives for legitimate traffic. Chef’s team evaluated other WAF solutions and found that they often flagged and blocked a large number of legitimate requests. Chef needed a solution that would help its customers securely access the Chef platform, without hindering their customer experience and productivity.

Describe how the deployment went, perhaps how long it took, and if it came off as planned: With Signal Sciences installed, the Chef team has full confidence that any attacks will be automatically detected and blocked and relevant alerts will besurfaced through their existing DevOps tool chain.

Signal Sciences Web Protection Platform is a security solution that DevOps teams actually want to use, said Ben Rockwood, Chef Director of Engineering.

“Signal Sciences doesn’t hold us up. If anything, it actually enables us to continue forward on our larger business initiatives—without using my engineering pipeline to leverage security,” Rockwood said. “With Signal Sciences Web Protection Platform in place, I never have to worry about unnecessarily taxing my engineering Pipeline.”

Describe the result, new efficiencies gained, and what was learned from the project.

  • No performance impact to existing Chef systems or performance. When Chef first deployed Signal Sciences WPP into its application stack, the Ops team didn’t even realize that the product had been turned on. The Signal Sciences solution added almost zero additional latency. With Signal Sciences in place, Chef didn’t have to make the tradeoff between security and high performance for their customers—they could have both.
  • Access to complex security data that is easy to comprehend. Signal Sciences gives Chef powerful visibility and remediation capabilities that are consumable by the entire organization at a wide variety of skill levels giving everyone continuous situational awareness. Signal Sciences is able to surface only the most important alerts and anomalies in consumable dashboards and immediately alert teams through ChatOps tools like Slack. Without being a security expert, any Chef team member can easily access security data and quickly understand what’s going on within the application.
  • Security automation that enables DevOps priorities. The Chef development team embraces security rather than working around it. Signal Sciences WPP has successfully increased their automation, adding even more momentum to the development and operations pipeline. Signal Sciences WPP gives Chef’s DevOps team the option to share the responsibility of security, by seamlessly scaling their security posture with their development teams.

Other references:

If you have a suggestion for an IT Science article, email [email protected]

Chris Preimesberger

Chris J. Preimesberger

Chris J. Preimesberger is Editor-in-Chief of eWEEK and responsible for all the publication's coverage. In his 15 years and more than 4,000 articles at eWEEK, he has distinguished himself in reporting...