Chef launches Compliance: Server security policy as code

Chef Software has released Chef Compliance, a product which aims to automate verification of server security policies to enable rapid application delivery without threatening compliance.

The company has also announced general availability of Chef Delivery, a continuous delivery product first announced in March 2015.

The thinking behind these DevOps tools is that rapid deployment and update of business-critical applications is only possible with automation. The way you achieve automation is by defining not only the application but also the environment in which it runs as code, and having tools which create the infrastructure and deploy the application based on that code. It is no longer necessary to set up and configure servers manually, which both saves time and avoids errors.

Working with code has many advantages. Code is versioned and it is easy to track changes, see who made them, and reverse them if necessary, just as application developers have always done.

Chef believes it has it all worked out. “There is a right way to do DevOps and we’ve identified what it is,” says VP of marketing Jay Wampold modestly. “Everything is code and it must be rapidly deployed in a verifiable repeatable and safe manner. The key ingredients are cloud, automation and culture.”

Chef Delivery is a management and workflow tool that lets users see the status of projects in progress. Several features have been added after a period of testing, including an audit trail and integration with GitHub and Bitbucket Server (formerly known as Stash, another Git-based code collaboration product).

What then is Chef Compliance? Compliance in this context is the business of configuring and verifying servers to meet regulatory requirements and security best practices, such as CIS (Center for Internet Security) benchmarks that form part of PCI DSS (Payment Card Industry Data Security Standard), required for processing card payments.

In the past, Chef has used Serverspec, a Ruby-based engine for running tests to check server configuration. However, a German startup called VulcanoSec, acquired by Chef earlier this year, had been working on a richer compliance framework. Chef Compliance is based on this technology.

“We wanted to describe our tests as a collection of controls, which are grouped into compliance profiles. These had to be easily shareable and extendable and offer a mechanism to make simple adjustments from one project to the next. We wanted our tests to be more descriptive, adding in criticality (so that you know what to focus on first, when you get truckload of test failures) as well as descriptive metadata to help explain the meaning of the test,” says VulcanoSec CEO Dominik Richter.

This work was originally based on Serverspec, but the company eventually developed its own test execution engine and its own domain-specific language, which together are called InSpec. The above link has more details. Compliance rules in the InSpec language are easy to read, and as far as possible abstract away the specifics of the operating system. For example, here are rules which specify that a web server is listening on the HTTPS port and not the unencrypted port 80:

describe port(80) do
it { should_not be_listening }
end

describe port(443) do
it { should be_listening }
its('protocol') {should eq 'tcp'} 
end

InSpec is also an open source project, under the Apache 2.0 licence. “The goal is to create a common language for writing compliance rules. We hope it will be picked up broadly,” VP of business development Ken Cheney told the Reg.

Chef Compliance is fully released and can be used on its own or as part of the Chef platform. ®