KICS (Keeping Infrastructure as Code Secure) has had an incredibly successful launch with over 273k downloads as of date! As a result, we wanted to learn more about KICS, so we sat down with Ori Bendet, Director of Product Management at Checkmarx to learn more about the creation of KICS, what it is, in what cases you should use it, and what new developments you can expect to see in the coming months. Here is what we learned.
How would you describe KICS to a non tech-savvy audience?
KICS is an open-source project backed by Checkmarx that is purposely designed to scan infrastructure as code. So just like SAST that scans application source code, finding vulnerabilities and security issues within, KICS scans infrastructure code to finds issues that may lead to potential vulnerabilities as well. Since KICS is open source, you don’t need any licenses to use it. You can just go to the repository or download it from Docker Hub, and you can have it up and running in as little as a few minutes to start scanning your infrastructure code. Also, KICS integrates into a wide variety of CI/CD solutions.
How did it all start?
Actually, the concept around KICS started a few years ago as an innovation project and then it picked up speed late last year. The project started in the Office of the CTO lead by Maty Siman, then Alex Roichman, Director of Cloud Native Security handed it over to R&D and Product Management to bring it to reality. In November of 2020, KICS was ready for its first release.
What were the main motivations behind the creation and the launch?
With the rise of cloud-native, and as everything is beginning to become code, we wanted to create a new engine that would be able to scan a new type of code, (i.e., Infrastructure-as-Code). Forrester in their latest wave for SAST referred to this as “going beyond the traditional definition of code”. The idea was to launch an open-source engine that included a long list of queries created by a host of contributors, instead of a developing a commercial offering. This provided more of a bottom-up approach rather than a top-down one. Being developers ourselves, we wanted to give back to the dev community since we see a tremendous need for securing IaC. We also wanted to make sure that we could spread the word organically and allow contributors to be part of the project worldwide. This is why we decided to release KICS as an open-source project.
What type of organizations does KICS help the most?
KICS can help any organization who develops and deploys IaC. From what we observe in the industry, every organization we have spoken with recently is using IaC at some level. However, quite a few are not scanning this code and we see this as a tremendous risk. To solve this issue, many of our existing customers and other organizations worldwide are using KICS to scan their infrastructure code and are tremendously benefitting from it. This was our hope all along.
Is it easy to use?
It’s very easy to use. All you need to do is run two very simple commands, and in less than two minutes, and you’ll have it up and running you’ll start getting scan results from it immediately.
Where do you see KICS in five years?
Five years is way too much time to make a prediction in the software industry, but the plan is to evolve it in two parallel tracks. As we continue, we will add more coverage, more tools, expanding to APIs, secure API configurations, working with the rest of the infrastructure tools, and we will look to add more as we move along. We will also integrate KICS as an additional engine into the Checkmarx suite of AST solutions and have it available as a commercial offering soon. So, these are the two tracks that we have planned for KICS. One is to continue the open-source project and the other is to integrate it into our other commercial offerings.
How are you making people aware of KICS?
Today, we are promoting KICS to new personas who were traditionally less aware of Checkmarx. Being very well known in the AppSec and CISO communities for more than a decade, DevOps, developers, cloud engineers, infrastructure engineers, etc. are becoming more aware of Checkmarx solutions partly due to this bottom-up approach. So, the idea is to simply make it available and spread the word through the practitioner communities who really need this type of solution. This year, the team spoke about KICS at Yalla DevOps, DevSecOps24, Black Hat Asia 2021, and GISEC – with more events to come soon.
Is there anything you want to add, something else that you think is important to mention?
The last thing that’s worth mentioning is that we’re seeing tremendous interest and usage so far. The sheer number of downloads is a testament to its tremendous value in the dev communities. The feedback we’re getting from our customers and general users is extremely positive. All information is available on our website at KICS.io and we would appreciate if you can give us a start on GitHub. If you have started using KICS – we are more than happy to get any feedback (good or bad) that you may have, and we are committed to continuous improvement of the solution.