Chef today expanded the reach of its InSpec platform for automating compliance management with an update that adds support for Amazon Web Services (AWS) and Microsoft Azure public clouds, as well as integration with additional third-party tools. In total, InSpec 2.0 adds more than 30 additional capabilities, including support for Docker containers, Microsoft IIS and NGINX web server and PostgreSQL databases software.

In addition, InSpec results now can be exported as JUnit format for integration into continuous delivery tools such as Jenkins. Compliance profiles can now also be pulled from Chef Automate.

Plus, InSpec 2.0 runs 90 percent faster than InSpec 1.0 on Windows and 30 percent faster on Linux, according to Chef.

Julian Dunn, director of product marketing for Chef, said the primary goal of InSpec is to enable DevSecOps teams to address compliance issues before an application gets deployed in a production environment. It’s not feasible for any DevSecOps teams to remember all the compliance requirements that must be applied when any piece of software or hardware should be configured, Dunn said.

InSpec provides a mechanism to automate compliance management using a set of declarative tools that don’t require anyone on the IT team to possess programming skills. Dunn conceded it’s still early on in terms of incorporating compliance into any DevSecOps initiative, most of which are nascent efforts themselves. But it’s now only a matter of time before compliance shifts left along with security, Dunn noted.

Security becomes even more pronounced in the age of the cloud because developers are now routinely deploying workloads on top of infrastructure that is not often managed by an internal IT operations teams, Dunn said. In fact, there have been a recent raft of security breaches stemming from the fact that data was left exposed on a public cloud such as AWS.

There’s always been a fierce debate concerning the degree to which compliance encourages security. Advocates say that without some basic compliance requirement, the level of security inside most organizations would be more abject than it already is. Others contend that compliance requirements only encourage organizations to implement the bare minimum of security required; thereby creating a false sense of security that cybercriminals easily exploit. Regardless of viewpoint, however, compliance requirements are not going away anytime soon. In fact, major security breaches usually are not accompanied by hefty fines that are based on the number of compliance requirements that were ignored.

Developers don’t always appreciate all the nuances of compliance when under pressure to deploy and update applications faster than ever. Organizations today need to find ways to enforce compliance mandates without slowing down the rate at which applications are developed. That’s simply going to impossible to achieve without increased reliance on automation. Today, unfortunately, most of what passes for compliance processes don’t begin until long after an application is deployed in production, which makes fixing those oversights once discovered a much more expensive proposition than if they were discovered much earlier in the application development life cycle.

— Mike Vizard