Getty Images/iStockphoto

Progress steers Chef InSpec toward CSPM

After a rocky first year, Progress Software has tightened Chef product integrations and solidified roadmap plans that focus on InSpec and CSPM.

With a period of post-acquisition upheaval now behind it, Progress Software said Chef InSpec will be the focus of its new long-term strategy for the IT automation company.

Progress bought Chef in September 2020 for $220 million, which was followed by major staff changes throughout the company, from sales and marketing to customer support and engineering, according to Sudhir Reddy, who was global vice president of engineering at Chef since 2016 and is now vice president of engineering of the Chef business at Progress.

"We went through turmoil in the first three quarters," Reddy said in a virtual Q&A session at ChefConf on Sept. 8. "All of those teams have, to some extent, rebuilt."

Progress did not disclose how many of Chef's original employees it has retained, but Reddy was one of the few longtime Chef executives visible at the company's user conference this year.

During conference sessions, Chef customers also spoke candidly about the struggles the companies went through after the acquisition.

"Initially, I was a little concerned. ... I'd never heard of Progress before, and I was concerned about losing some of the key engineers that I knew," said Lance Albertson, director of the open source lab at Oregon State University, during a keynote presentation. "I wasn't sure what was going to happen with the products, if things were going to just go into maintenance mode ... and some of the communication could have been done a bit better."

In particular, the community around the Chef Habitat application deployment automation project seemed to come to a near stop following the acquisition, Albertson said; although, activity has since resumed. He added that he's been especially pleased with Progress' attention to adding more code coverage to Chef's Test Kitchen integration testing.

Brittany WoodsBrittany Woods

Brittany Woods, manager of the server automation team at tax prep company H&R Block, also found the post-acquisition transition difficult.

"In the beginning, for the community, it was kind of a big blow," she said during the keynote session. "[We lost] a lot of the engineers we've networked with for years that have been part of the product ... but it looks like a lot of things that needed attention before ... are being taken up now."

Chef InSpec takes priority in CSPM charge

Since Progress acquired Chef, it has made substantial changes to the company's products, as well as to personnel, such as tighter integration among the separate pieces of the Chef product portfolio, which include Chef Automate, an umbrella automation framework; Chef InSpec for security and compliance; Chef Habitat for application deployment; and Chef Infra for infrastructure management.

Chef Software had pledged to unify all these pieces for years but hadn't completed the full integration when Progress bought the company. Since the acquisition, Progress has completed that work. A separate Chef Server for infrastructure management is no longer required -- Chef Automate can manage configuration for multiple organizations and apply policies and cookbooks directly.

This month, Progress added Chef InSpec coverage for cloud resources such as AWS Virtual Private Clouds, cloud firewalls and cross-account security rules. It also added InSpec rule waivers for exceptions to compliance policies and direct InSpec test management via the Chef Infra client. Previously, Chef Infra could invoke Chef InSpec scans using separate audit cookbooks, but with this update, users can directly embed InSpec tests with Ruby code in regular Chef cookbooks.

Sudhir ReddySudhir Reddy

While Progress will continue to develop all of Chef's products, InSpec will be the primary focus going forward, with an eye toward competing in the increasingly popular Cloud Security Posture Management (CSPM) category.

"In the past, you've seen us talk about infrastructure and compliance automation, but what we're evolving to is the idea of policy-based automation that encompasses compliance and infrastructure builds," Reddy said in an interview. "The CSPM space [is] where we're seeing the bulk of our growth and where we're making most of our investments."

Chef InSpec set to expand integrations

Progress has already begun to lay the groundwork for its CSPM push with a unified data feed that draws from Chef Infra, Chef Compliance and Chef Automate and integrates with third-party data analytics and visualization tools such as Splunk and Elastic's Kibana.

Progress has put a lot of work into what Chef started here to formalize integrations and make them more robust and adaptable.
Brittany WoodsManager of server automation, H&R Block

This integration previously required a do-it-yourself approach from users in most cases, according to H&R Block's Woods, and standardizing and prepackaging such integrations has a lot of potential value for users, she said.

"Data is rotated faster through Chef, which runs every 30 minutes, than a typical compliance scanning system, and Chef 'knows' every detail about the infrastructure," Woods said in an interview. "Progress has put a lot of work into what Chef started here to formalize integrations and make them more robust and adaptable."

As part of the Chef InSpec roadmap, Progress will expand its premium content. Woods said this is of interest to her team, which has already implemented Chef's automation profiles for federal Security Technical Implementation Guide (STIG) standards.

Further coverage for Azure resources, such as a planned integration with Azure Policy for compliance rules enforcement in the Microsoft public cloud, would be most valuable, she said, as would coverage for PaaS services Chef traditionally hasn't been able to manage. This may be possible soon, as Progress also plans to offer an agentless version of Chef, according to conference presentations.

"The STIG profiles and the ability to apply [InSpec] waivers save a ton of development time," Woods said. "It would be great to get even more of that developer overhead out of the way for Azure."

CSPM competitive picture takes shape

Chef InSpec's existing library of content includes Center for Internet Security benchmark templates and AWS, Azure and Google Cloud Platform resource packs and is among its top strengths heading into a highly competitive CSPM market, said Jim Mercer, an analyst at IDC.

"Content is king," Mercer said. "CSPM is still kind of a new space and, though Progress Chef has formidable competitors, they're not necessarily late to the game."

Among these competitors, which also includes vendors from observability and traditional IT security categories, is the Cloud Native Computing Foundation's Open Policy Agent (OPA). OPA has caught on quickly among enterprises with Kubernetes in production, while Progress is still working on the finer details of Chef InSpec container security, such as enforcing container-level access control rules.

But InSpec, initially developed at Deutsche Telekom and used at extreme scale within large enterprises such as SAP, also has its own advantages, said Paul Delory, a Gartner analyst. These include the fact that InSpec is written in a more familiar programming language, Ruby, than the sometimes tricky and lesser-known Rego language that OPA uses.

Before the Progress acquisition, Chef primarily focused on InSpec's integration with its own configuration management tools. But in its raw open source form, InSpec can support competitors such as Puppet and Ansible. It could also potentially integrate more broadly with other products in the Progress portfolio such as WhatsUp network monitoring; Test Studio for software testing and quality assurance; Fiddler for web debugging; and Corticon, a general business rules engine.

"I'd be very interested to see Chef InSpec integrated with Corticon," Delory said. "That could be a way to let InSpec enforce general business logic, as OPA already can."

Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.

Dig Deeper on Systems automation and orchestration