Your Time At ChefConf 2019: Chef InSpec and Security

Chef InSpec is a powerful tool for creating and managing complex security profiles for your infrastructure. Whether you’re using Windows or Linux, Chef InSpec can help your team managing the demands of the modern security landscape.

If you haven’t started using Chef InSpec yet, ChefConf is a perfect opportunity to get acquainted with this tool and learn how to apply its features to your infrastructure and workflow.


This year, Monday May 20 is our ChefConf Workshop Day, and Chef InSpec is included in our workshop offerings. If you are totally new to Chef InSpec, our technologists have a full day workshop planned to help you get started. Register for the Chef InSpec Jumpstart Workshop when you register for ChefConf 2019.

Spend some time in the evening chatting with our sponsors and other ChefFriends in the exhibit hall.


Tuesday is our first day of full content for ChefConf. In the morning you’ll hear from our team about our vision for the future and some of the things we’ve been working on. Our keynotes will be on the third floor, and you’ll want to get there on time to get a good seat!

After lunch, our breakouts get started! Let’s see what’s on deck for Chef InSpec on Tuesday.

At 1pm, in room 501, Todd W Cox will present Chef InSpec Workers: How to Avoid Being One More (Damn) Thing. Take advantage of Todd’s experiences deploying Chef InSpec to his team:

How do you make InSpec and compliance testing fit into the busy day-to-day work of a team of Operators?  How do you make space and time for them to write the tests, and avoid being just One More (Damn) Thing on their todo list?  Answer: Make it Easy!

My catchphrase is: “Make the Right Way the Easy Way.” Come and learn about how I’m empowering my team, hiding the complexity, and improving our processes by stringing together a bunch of technologies I’m admittedly not very good at.  You can do it too, even if you’re not very good at the technologies involved.

The Chef InSpec-related breakouts at 2pm give you a choice of two, depending on what you might want to use Chef InSpec for.

Galen Emery and John Snow will be in room Elwha B on the 5th floor to talk about Exception Handling: Compliance as Code. Galen and John are Chef employees, so they’re going to share some of the things they’ve learned working with various customers:

In the coded enterprise, it is straightforward to apply a profile across our entire fleet of systems. But in our enterprises, we run hundreds or thousands of applications, with various servers, and we must modify our profiles to accommodate all of these exceptions. This quickly turns into an agonizing sprawl of hundreds or thousands of profiles. How do we manage all of these profiles? How do we know which exceptions are approved, and how do we manage new ones?

In this talk, we’ll discuss some of our experiences solving these issues inside the US Federal Government, and the solution that underpins the changes necessary to the waiver approval process in order for this to work.

If you’re looking for something a little more specific to using Chef InSpec in your day-to-day, check out Kyle Harper’s talk Delivering Security Control at Velocity down the hall in room 502:

Overwhelmed by implementing security controls? Failing security audits due to drift? Learn how to solve these challenges through config-as-code, from someone who has first-hand experience with federal STIG requirements. You’ll see how to create an agile security framework that delivers rapid value and compliant systems.

Finish up your day with another tough choice! We’re not making it easy on you here, sorry!  

At 3pm in room 602, our #ChefFriend Keith Walters is going to get into some FIPS requirements with his talk  FIPS Doesn’t Have to be a Four Letter Word:

Even though automation in the Federal Government is becoming more commonplace, one requirement frequently gets in the way: FIPS 140-2. FIPS impacts everything from the code you write to the COTS software you run. This talk shares tips and tricks for managing FIPS compliance in your pipeline.

But if that seems a little advanced for your needs, join Chef’s Clinton Wolfe for a tour of What’s New In Chef InSpec in room 401. Clinton works on Chef’s InSpec team, and he’ll be sharing with you what’s been going on with Chef InSpec and some ongoing plans.

In the evening, join our community for games in Elwha A on the 5th floor. There will be snacks and drinks and fun and hijinks. If you need some time to decompress and get ready for Day 2, that’s ok too! There’s plenty of cool restaurants in the neighborhood to have some food and relax.  Because Wednesday is going to be intense!


Start the day Wednesday with us on the third floor for some customer stories during our keynotes.  You’re not alone out there! Chef’s customers and community are here to share their stories.

After lunch, it’s five sessions for your Chef InSpec-based enjoyment!

At 1pm, head to room 402 for some guidance from Jonathan Weiss from AWS on working with Chef InSpec in their environment. His talk,  Chef on AWS: Integration and Compliance will get you what you need if you’re working in AWS and want some Chef InSpec:

Chef Server, Chef Automate, and Chef InSpec have great reporting and compliance capabilities. If you are running on AWS, you are probably interested in how to integrate these capabilities with AWS services like AWS Config or AWS Security Hub. So that’s what this talk is about.

Excellent! What’s next? At 2pm, we have two options for you, depending on what you’d like to know.

For our Enterprise friends, GDIT’s Zachary Schmitt and Bradley Shelton are going to get into the nitty-gritty of enterprise workflows and AWS and air-gapped networks and all kinds of things related to their work in their talk, GDIT’s “Chef-as-a-Service” Enterprise Solution:

Our Enterprise covers 200+ AWS accounts and multiple Air-Gapped networks. We had no real insight into what was happening within our Enterprise. We also had to deal with our security team’s manual processes which is typically a 6-18 month Time-To-Prod. “Chef-as-a-Service” is our solution.

If that’s not your cup of tea, trainer extraordinaire Lynn Frank will give you some real-world advice on working with Chef InSpec in room 402 with  InSpec Yourself Before You Wreck Yourself:

Our automation enables us to move faster and work with more accuracy. Which in turn makes it possible for us to seek new challenges and take on more responsibility. Higher and higher we climb until the wax that holds our wings begins to give and we come crashing down. We can learn from these losses by creating tools that have more human-friendly interfaces and come equipped with tests. This presentation will demonstrate the test-driven development of cross-platform InSpec resources for command-line tools, configuration files, and those somewhere in-between. You will learn the structure of InSpec resources, powerful string manipulation techniques, and gain clarity into Ruby’s meta-programming magic.

Don’t start flagging yet! Grab a snack and a drink on your way to the 5th floor, room Elwha A, for another great talk from Google’s Sam Levenick and Chef’s Stuart Paterson, The Magic of Custom InSpec Resources:

Magic Modules is an open source framework for automagically generating custom InSpec resources. Learn how Magic Modules ( was introduced to InSpec GCP to create high resource coverage in a short time. The secrets of Magic Modules will be revealed!

Head around the corner to Elwha B for a talk on getting your compliance profiles to work for you. Nicholas Mellen and Marcelo Zambrana present  Application Independent Verification and Validation Testing with Chef Automate and Compliance Profiles which seems like a mouthful but is going to help you get some really serious work done with these tools:

In both industry and government, independent verification and validation (IV&V) testing is an often-targeted component for automation. DevOps team members should use Automate and Compliance Profiles to automate acceptance testing for applications and improve on their regulatory and compliance position.

NIST Special Publication 800-123 details three information security objectives often identified using the acronym CIA: confidentiality, integrity, and availability. In the US Federal Government, IT Leadership pushed for more IV&V testing of their systems, as well as automating said testing, and this talk aims to demonstrate one approach we have found to solve these problems.

If Azure is your platform of choice, we can close out your day of Chef InSpec stories with Michael Greene in Elwha A, talking about Implementing Chef InSpec Scanning at Scale Through Azure Policy:

Enterprise organizations often need to create 100’s of cloud subscriptions to enable application teams. How then, should you implement tools for verifying compliance requirements before you release to production? In this session, we will discuss how to use native capabilities in Microsoft Azure Policy to run InSpec inside virtual machines and validate industry baselines before you release changes.

After this talk finishes up, take some time to relax and refresh, then join us at the Paramount Theatre for the ChefConf Community Celebration featuring Mudhoney and Deep Sea Diver. Our parties are the kind you never forget!

Deep Sea Diver
Deep Sea Diver


Stay up all night in Seattle and join us in Elwha A on Thursday morning for maybe some hair of the dog and some hacking. Take the things you’ve learned about Chef InSpec the past three days and put hands to keyboard along with your new friends in the Chef Community. We’ll be hanging out working on whatever people feel like working on until mid-afternoon.

Sleep when you’re dead, right?!?

Mandi Walls

Mandi is Technical Community Manager for Chef. She can be found online @LNXCHK.