3. Agenda
1. How the journey starte
d
2. InSpec to the rescu
e
3. Custom InSpec Profile
s
4. Chef Supermarke
t
5. Community InSpec Profile
s
6. How the journey continues
8. Four major problems
8
• Manual correctness checks
Once per application deployment
• Manual readiness checks
Once per environment creation
• Manual security checks
Once per release
• Manual compliance checks
Once per release
11. What is InSpec?
11
• Open source testing framewor
k
• Checks actual state against a desired stat
e
• Useful for testing application and infrastructur
e
• Written in Ruby
15. What tests did we create?
15
• Application correctness checks
Testing AEM application installation, configuration, API
• Environment readiness checks
Testing all AWS EC2 servers readiness to serve content
• Application security checks
Testing AEM application security guideline
• Environment compliance checks
Testing application and servers setup against
organisation compliance requirements
16. When did we run those tests?
16
• On every server creation
Each AWS EC2 instance has a cloud-init script
which runs correctness, security, and compliance checks
against the applications
• On every environment creation
Each environment has an AWS Lambda function
which runs readiness and compliance checks against all
servers
• On-demand
Jenkins CI/CD pipelines which run all types of checks
18. But wait, there were more problems
18
• Many standalone test files
• Different engineers structured the tests differently
• No clear grouping between tests
• We started writing some custom CIS Benchmarks
and AWS checks
25. We created three InSpec Profiles
25
• InSpec AEM
Checks a single AEM application
https://github.com/shinesolutions/inspec-aem
• InSpec AEM Security
Checks AEM security guideline
https://github.com/shinesolutions/inspec-aem-security
• InSpec AEM AWS
Checks a single AEM on AWS environment
https://github.com/shinesolutions/inspec-aem-aws
26. Problems solved?
26
• Many standalone test files
Test files are now part of InSpec Profiles
• Different engineers structured the tests differently
Everyone follows InSpec Profile style guide
• No clear grouping between tests
Each InSpec Profile defines a domain
33. CIS Benchmarks
33
• A set of guidelines and best practice secure
configuration of a system
• Created by Centre for Internet Security together with
tech communities
34. Community InSpec Profiles
34
• CIS Linux Benchmark (DevSec)
Used for securing RHEL7 on AWS EC2 instanc
e
• CIS Docker Benchmark (DevSec)
Used for securing Docker images used by CI/CD
Pipeline
s
• AWS Foundations CIS Baseline (Mitre)
Used for securing AEM on AWS environmen
t
• InSpec AWS (InSpec)
Used for checking AWS resource compliance
against organisation requirements
42. Lessons learnt
42
• InSpec is your utility belt for testing anything that can be
coded
• Leverage InSpec Profiles from the community
• If you need to test something once,
you will likely need to test that something again
• Execute tests early in the delivery pipeline
Execute tests continuously along the delivery pipeline
• Never ever send a human to do a machine’s job
43. Thank you! Any questions?
cliff.subagio@shinesolutions.com
linkedin.com/in/cliffano/