Chef Launches InSpec 2.0 to Improve Security Compliance Automation

Chef updates its open-source detection and evaluation tool to help organizations with security compliance in the cloud.


DevOps vendor Chef announced on Feb. 20 the latest edition of its open-source InSpec compliance tool in an effort to accelerate and enable a DevSecOps approach to IT security.

The emerging discipline of DevSecOps (Developer Security Operations) involves using programmatic constructs and automation to improve and scale IT security. With InSpec 2.0, organizations can define policy profiles for IT infrastructure that is both on-premises and in the cloud.

"The major feature in InSpec 2.0 is the ability now to check for cloud compliance," Julian Dunn, director of product marketing at Chef, told eWEEK. "In other words, this evolves InSpec from its roots as a language for checking compliance of machines and allows it to check APIs."

InSpec is an open-source tool that has its roots in technology that Chef gained through the acquisition of VulcanoSec in November 2015. When Chef acquired the InSpec technology from VulcanoSec, it had just achieved relative parity with ServerSpec, upon which InSpec was based, according to Dunn. He added that InSpec at the time of the Chef acquisition was not yet a stand-alone open-source project.

"Since we spun out InSpec as a separate tool, we've been adding many more out-of-the-box resources to allow for elegant expression of compliance checks," Dunn said. "For example, rather than using shell scripts to grep through various configuration file formats, we have language right within InSpec to do parsing of common formats like Apache configs or XML files and get the values you want without a lot of ceremony."

InSpec is both the name of the tool and the domain-specific language in which compliance rules are written. A collection of InSpec rules is known as a profile. What Chef charges for is enterprise content and the dashboard. 

"InSpec as a project doesn't supply any content: Users can write their own profiles or consume and customize ones from open-source sources like the Dev-Sec project [] or ones that users publish to the Chef Supermarket," Dunn said. "If they purchase Chef Automate, they have access to prewritten ones for common security baselines and get a subscription for new ones that we create."

Chef Automate is Chef's flagship platform that debuted in July 2016 as a technology to help organizations automate IT and developer process workflows. Dunn noted that InSpec is a detection and evaluation tool for machine and cloud correctness, and it can work with any tool to correct configurations, be that Amazon CloudFormation, Azure Resource Manager or Terraform for cloud resources, or Chef, Puppet or Ansible for machine-level configurations. 

For organizations that use InSpec as part of a Chef Automate deployment, they benefit from real-time and historical dashboards of compliance status to help with operational security response, as well as to satisfy audit requirements. In addition, Chef Automate users have the ability to schedule remote compliance scans against infrastructure and capture those results into a report.


InSpec is not the only open-source project that aims to help with security compliance. The Open Security Content Automation Protocol (SCAP) is another such project that is widely used. Dunn explained that SCAP is a specification for expressing and manipulating security data in standardized ways. 

"The main challenge with SCAP is in the complexity of its architecture and the often-opaque data interchange formats involved," he said. "SCAP documents are expressed in difficult-to-understand XML formats like XCCDF and OVAL and are not human-readable, in contrast to InSpec."


There are multiple compliance requirements that organizations can use InSpec to help automate. Checking to make sure that cloud storage resources are not publicly accessible is one use case where Dunn said InSpec can help. InSpec may also be able to help organizations be compliant with the European Union's General Data Protection Regulation (GDPR), which goes into effect on May 25. Like many compliance regimes, the application of GDPR is highly context-specific, he said.

"It is still up to the customer to interpret the requirements and apply them to their situation," Dunn said. "InSpec can fill the gap, getting agreement between compliance, security and IT on the rules for a particular situation."

For example, GDPR makes statements about securing workstations on which EU citizen data is being handled. Dunn noted that InSpec would help a firm covered by GDPR agree on compliance controls for those workstations, which might include, for example, a complex password policy.

Looking forward, Dunn said Chef will continue to extend the cloud compliance capabilities of InSpec in coming releases. Together with Chef Automate, Dunn said the plan is to have more InSpec profiles to help organizations with named compliance regimes like Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA) as well as improving the existing profiles to keep up with evolving requirements. 

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.