KICS: First Open Source Project to Achieve CIS Level 2 Certification

In the context of helping secure the information age for organizations, governments, and citizens all over the world, there are many notable missions in achieving this goal. One of these missions is known as CIS®.

According to their website, “The Center for Internet Security, Inc. (CIS®) makes the connected world a safer place for people, businesses, and governments through our core competencies of collaboration and innovation.  We are a community-driven nonprofit, responsible for the CIS Controls® and CIS Benchmarks™, globally recognized best practices for securing IT systems and data.”

In our connected world, the need for collaboration, innovation, and best practices are vastly needed. In fact, CIS has four world-renowned, best practices and expert communities.

Going a little deeper into one particular area of interest, “CIS SecureSuite Membership provides integrated cybersecurity tools and resources to organizations of every size. Security IT teams can automate configuration assessments, conduct remote scans, implement security best practices, and more.”

Why is CIS Important to Checkmarx and the Developer Community?

KICS is an open-source project backed by Checkmarx that is purposely designed to scan infrastructure as code (IaC). KICS has had an incredibly successful launch with over 450K downloads as of date!

More importantly, Checkmarx is a CIS SecureSuite® Product Vendor Member, and our KICS solution has recently been awarded the following certifications from CIS:

KICS 1.4.4 (version)

  • CIS Amazon Web Services Foundations Benchmark v1.4.0, Level 1
  • CIS Amazon Web Services Foundations Benchmark v1.4.0, Level 2

We are extremely proud to have been awarded these certifications, and achieving Level 2 certification is a very notable achievement. Level 2 means that a technology provides “measurable defense in depth” protection.

From a static tool perspective, KICS performed exceptionally well in all evaluation criteria. Although some may say that not being a dynamic solution (testing code while running) is a limitation, KICS scans code much earlier than any dynamic testing solution ever could. KICS gets results and solves issues in IaC way earlier in the pipeline – from the first line of code written – long before the first docker, first container, or first asset were even provisioned. This is a huge differentiator in comparison to dynamic testing solutions.

According to Ori Bendet, Head of Product Management at Checkmarx, who helped spearhead the KICS project, “KICS supports the philosophy of shifting left by testing and securing code as early in the cycle as possible. Developers carry so much responsibility these days—from source code to integrating open source libraries, to containers and Infrastructure-as-Code. Each of these tasks possess its own security risks. From the first line of code developers write, Checkmarx delivers SAST, SCA, and KICS to shore up security on static code, open source code, and infrastructure as code. Combing these solutions, and using them early and often, organizations can feel confident that the code they deploy is secure.”

“As of yet, KICS is the only, completely open source project that has achieved any CIS Certification”, says Erez Yalon, Head of Security Research at Checkmarx. “This serves as a testament to what the open source community is capable of achieving. Checkmarx is very happy to have initiated the project, then opening it up to the community for their contribution. Our list of contributors should receive many thanks for what they have accomplished.”

Want to Know More About KICS?

Just like SAST that scans application source code, finding vulnerabilities and security issues within, KICS scans infrastructure code to finds issues that may lead to potential vulnerabilities as well. Since KICS is open source, you don't need any licenses to use it. You can just go to the repository or download it from Docker Hub, and you can have it up and running in as little as a few minutes, to start scanning your infrastructure code. Also, KICS integrates into a wide variety of CI/CD solutions.

KICS finds security vulnerabilities, compliance issues, and infrastructure misconfigurations in popular IaC solutions and OpenAPI 3.0 specifications. KICS is open source and always will be. Both the scanning engine and the security queries are clear and open to the software development community. With 2000+ fully customizable and adjustable heuristic rules, or queries, KICS can be easily edited, extended, and added to. What’s more, our robust but simple architecture allows for support of new IaC solutions.

Download KICS for free here and start securing your IaC today!

Skip to content