Author:

Galen Emery

I am Galen, the Lead Compliance and Security Architect for Chef. My professional life has been built upon automating everything I can, and am responsible for helping security and compliance teams understand how to secure systems within the DevOps model. I currently live in San Diego, CA but am originally from Seattle, WA with time spent in DC working with the federal government. I have extensive experience in Windows, Cloud Migrations, Chef, Compliance and Security. I hold an active CISSP.


Testing Windows DNS SIGRed Vulnerability with Chef InSpec

It’s not DNS. There’s no way it’s DNS. It was DNS. A system administrator’s haiku, many have uttered before. Today it rings true once again. CVE-2020-1350 is a vulnerability found in _all_ versions of Windows Server DNS back to 2003. Found by the folks at Checkpoint, this is a highly critical vulnerability.

Read more

Chef InSpec Profile for Critical Salt Vulnerabilities

On April 30, 2020, two critical security vulnerabilities were identified with the SaltStack open source project (github.com/saltstack/salt). These vulnerabilities are critical and must be patched to avoid potential take over of your systems. This vulnerability has been assigned the highest severity rating, 10.

Read more

Protect Yourself From the RubyGems Backdoor by InSpec’ing Your Fleet

Chef has invested a lot with the Enterprise Automation Stack in security. With Chef InSpec you can easily scan your systems for potential vulnerabilities and then leverage Chef Infra to run remediation across your entire fleet. This is important because last week’s RubyGems vulnerability likely affected other software you have deployed that uses Ruby.

Read more

Chef Confirms No Products Affected by Backdoored RubyGems

At Chef, we have a cross-functional security team who evaluates and responds to potential security incidents. Because a significant portion of our code uses Ruby and Ruby libraries (known as “gems”), we have been paying close attention to the reports of malicious code insertion into several gems.

Read more
Posted in:

Applying Compliance on Azure Government with InSpec

In government, compliance and security are a critical component of our job function. The current state of compliance frameworks are bulky and unwieldy for those inexperienced with OpenSCAP/XML. Microsoft Azure Government cloud and InSpec are designed to provide a common language for security, compliance, and automation teams to converge around.

Read more