Skip to content
SAF Advanced InSpec Profile Developer CourseSAF Advanced InSpec Profile Developer Course
MITRE InSpec Advanced Profile Developer Course
Course
Resources
Installation
  • Course

    • 1. Course Overview
      • 1.1 Course Objectives
        • 1.1.1 Beginner course fundamentals:
          • 1.1.2 Advanced course objectives:
          • 1.2 About InSpec
            • 1.3 The Road to Security Automation
              • 1.4 Where can I start on my own?
              • 2. Review the Fundamentals
                • 3. Practice the Fundamentals
                  • 4. Tools for Automation
                    • 5. Automate Security Testing
                      • 6. Explore InSpec Resources
                        • 7. Local vs Built-in Resources
                          • 8. Create a Custom Resource - The Git Example
                            • 9. Create a Custom Resource - The Docker Example
                              • 10. Writing Plural Resources
                                • 11. Dissecting Resources
                                  • 12. Exercise - Develop your own resources
                                    • 13. Add Your Resource to InSpec
                                      • 14. Custom Resource Examples from InSpec

                                      1. Course Overview

                                      June 7, 2022About 2 min

                                      On This Page
                                      • 1.1 Course Objectives
                                        • 1.1.1 Beginner course fundamentals:
                                        • 1.1.2 Advanced course objectives:
                                      • 1.2 About InSpec
                                      • 1.3 The Road to Security Automation
                                      • 1.4 Where can I start on my own?

                                      # 1.1 Course Objectives

                                      The purpose of this course is to take you beyond profile development and give you the tools to actively participate in the open source security automation community. The advanced course builds off of the beginner course fundamentals, and by the end, you should be able to achieve all of these objectives.

                                      # 1.1.1 Beginner course fundamentals:

                                      • Describe the InSpec framework and its capabilities
                                      • Describe the architecture of an InSpec profile
                                      • Build an InSpec profile to transform security policy into automated security testing
                                      • Inherit controls from existing profile baselines into your profiles to avoid rework
                                      • Run an InSpec profile against a target - a component of an application stack
                                      • View and analyze InSpec results
                                      • Report Results
                                      • Create concise, human-readable control output using RSpec syntax in InSpec profiles

                                      # 1.1.2 Advanced course objectives:

                                      • Develop resources to aid in creating controls
                                      • Automate security testing by integrating InSpec into a CI/CD pipeline
                                      • Contribute to an open-source security platform by pushing the resources you develop to the InSpec framework

                                      # 1.2 About InSpec

                                      • InSpec is an open-source, community-developed compliance validation framework
                                      • Provides a mechanism for defining machine-readable compliance and security requirements
                                      • Easy to create, validate, and read content
                                      • Cross-platform (Windows, Linux, Mac)
                                      • Agnostic to other DevOps tools and techniques
                                      • Integrates into multiple configuration managament tools

                                      # 1.3 The Road to Security Automation

                                      InSpec is one of the primary tools in the Security Automation workflow. It integrates easily with orchestration and configuration management tools found in the DevOps world.

                                      As you can see from the picture below, the process for developing automated security tests starts with a human-language requirements documents like SRGs, STIGs or CIS Benchmark and then implements them as code. We need that code to record test results in a standardized format so that we can easily export our security data somewhere people can use it to make decisions (like the Heimdall visualization app).

                                      This challenge is what the MITRE Security Automation Frameworkopen in new window or MITRE SAF was developed to simplify -- to make the journey from a Requirement Document to an automated test profile and back again a little easier to navigate.

                                      Alt text

                                      # 1.4 Where can I start on my own?

                                      You can contribute to existing profiles that can be found here:
                                      https://github.com/mitreopen in new window

                                      Otherwise you can create your own profiles if they don't exist using the following security guidelines:
                                      https://public.cyber.mil/stigs/downloads/open in new window
                                      https://www.cisecurity.org/cis-benchmarks/open in new window

                                      Edit this pageopen in new window
                                      Last update: 6/13/2022, 3:33:42 PM
                                      Contributors: Emily Rodriguez
                                      Next
                                      2. Review the Fundamentals
                                      Apache-2.0 | Copyright © 2022 - The MITRE Corporation
                                      Copyright © 2022 Aaron Lippold