Checkmarx Launches Infrastructure as Code Scanning Solution to Secure Cloud-Native Applications

March 4, 2021 Off By Hoofer

Checkmarx announced the launch of KICS (Keeping Infrastructure as Code Secure), an open source static analysis solution that enables developers to write more secure infrastructure as code (IaC). With KICS, Checkmarx expands its AST product line, providing a single platform for securing proprietary code, open source components, and critical infrastructure for both traditional and cloud-native applications.

The adoption of IaC has risen considerably in recent years as organizations transition to the cloud and seek ways to make the provisioning of infrastructure faster and more scalable. However, with all the benefits of IaC comes a multitude of security, compliance, and configuration risks that developers are struggling to address. This is realized when considering that error-related issues (e.g. misconfigurations and misdeliveries) are now the second biggest cause of data breaches.

KICS automatically detects vulnerabilities, hard-coded keys and passwords, compliance issues, and misconfigurations from the very start of the IaC build cycle, allowing developers to easily remediate these flaws before reaching production. As the most comprehensive IaC scanning engine available, KICS supports the top IaC technologies including Terraform, Kubernetes, Docker, AWS CloudFormation, and Ansible. Additionally, KICS offers more than 1,200 fully customizable and adjustable queries, which cover more than 12 categories ranging from encryption and key management to network ports security.

“As development processes evolve and organizations accelerate their cloud adoption, developers are taking on more security responsibility while also delivering software faster than ever before. This is an impossible balance to strike by solely relying on manual, time-consuming code reviews,” said Maty Siman, CTO and Founder, Checkmarx. “KICS was built with this in mind, enabling development teams to automatically identify IaC issues when fixing is quickest, cheapest, and easiest. As the newest addition to the Checkmarx product portfolio, developers now have a single destination for securing all components that make up today’s complex applications.”

Additional key features and benefits of KICS include:

  • Built-in extensibility: KICS provides the largest ‘library’ of queries of any IaC scanning solution, all of which are fully customizable and adjustable. Additionally, KICS’ robust, yet simple, architecture allows for the quick addition of support for new IaC tools.
  • Community-sourced: As an open source project, both the scanning engine and queries for KICS are clear and open to a community of thousands of security and DevOps experts and software developers. Coupled with Checkmarx’s dedicated team that is constantly adding new features and vetting contributions, KICS is able to scale at a rapid pace.
  • Seamless CI/CD integration: KICS can easily be integrated with any CI/CD pipeline, including GitHub Actions and GitLab CI, applying vulnerability and misconfiguration checks to IaC while keeping developers within their preferred tools.

Siman continued, “Checkmarx is a strong advocate of open source projects, and creating KICS in this manner gives the community the opportunity to steer its direction and foster innovation across the industry. We’re excited to watch this passionate community embrace and contribute to KICS as it becomes an essential addition to every developer’s cloud-native security toolkit.”

“I’m proud to welcome Checkmarx to the open source ecosystem with the release of KICS, as the company brings its vast AST experience to the community,” said Lior Kaplan, open source advisor and evangelist. “KICS is already seeing significant interest from the DevOps and security experts who take part in open source, and this will continue to grow as the project scales and expands to more infrastructure as code platforms.”

KICS is available for free today.