One year ago, we released InSpec, an open-source project for infrastructure and test automation that helps companies incorporate compliance into their deployment pipelines. Today, after 70 releases, and with a great development community to support us, we are proud to announce InSpec 1.0 and the launch of inspec.io.
InSpec for DevOps
InSpec is primarily for end-to-end code testing and compliance analysis. Users can verify the state of their infrastructure and applications and correct issues before they show up as bugs in the code.
The InSpec language and framework allows companies to express their compliance requirements as code and then automatically test for adherence to those policies as part of the deployment pipeline. When compliance is code, you can identify issues early in the development process rather than delaying a release because of slow, manual security checks that occur after the fact. With InSpec, companies can release software at high velocity and still be certain that all their security and compliance requirements are met.
The InSpec language is both human and machine-readable and easy to understand. It’s accessible to everyone, whether they are developers, auditors or operators. When compliance is code, rules are unambiguous and everyone can understand them. Developers know what standards they’re expected to meet and auditors know exactly what is being tested. InSpec supplies a common framework that lets different groups, often in different silos, communicate with each other.
InSpec is designed for flexibility. You can express and test the requirements for any number of environments. By design, it operates independently of any infrastructure automation, such as Chef, and it works with all solutions on the market. InSpec supports all major operating systems, including IBM AIX, various flavors of Linux, and Microsoft Windows, including Nano Server. InSpec has many useful resources that you can use out of the box so you can get started quickly.
The framework can run as a local agent on nodes or operate remotely without installing anything on your systems, which is especially helpful for cloud environments and container technologies like Docker and Rocket. If you already use Chef, InSpec can easily be leveraged with the Chef client to assess and report the compliance status of the nodes in your network. The reports are graphical, so you can quickly understand the state of your infrastructure.
Compliance as Code
Companies today are under ever-increasing pressure because of regulatory requirements and financially motivated attacks on their IT infrastructure. The days of script kiddies and dancing pirates on your desktop are gone. Now there is sophisticated crimeware that steals sensitive personal and corporate information. Along with external threats, there is the increasing diversity of infrastructure and application stacks. It’s not uncommon to see legacy mainframes running next to modern container stacks. These complex environments, as well as the speed at which they operate, have led to further compliance and liability challenges. Finally, many countries are enacting strict (and complicated) legislation around issues such as privacy that make the need for automation greater than ever.
Whether greenfield or legacy, healthcare or finance, airlines or entertainment, InSpec provides a unified way of defining and sharing policies in all environments. We believe in open collaboration and creating a community of security experts, operators, and developers that strive to improve their environments one test at a time. InSpec serves as a common foundation that fosters collaboration from the very first day and establishes a new workflow that all departments can use together. Ultimately, InSpec leads to continuous compliance, which is an inclusive lifecycle that incorporates compliance into your components throughout their existence, from the moment of inception through continuous improvements, to deployment.
Highlights for 1.0
With this release we have a great list of new features:
- Integration with Chef Automate
- Dependency management, which supports profile customization through overlay profiles and custom resources through resource packs
- Attribute system to cover sensitive information like passwords and keys
- Wide Microsoft Windows coverage with full remote capabilities and CIS compliance benchmarks
- Stable JSON API
- Many new resources (for example, SSL) and improvements