Blog

KICS – From IaC Security to Cloud Security Posture and Drift Control

2 min.

January 25, 2022

Gartner mentions that by 2025, 70% of all enterprise workloads will be deployed in cloud infrastructure and platform services. Also, through 2025, more than 99% of cloud breaches will have a root cause of preventable misconfigurations or mistakes by end users. Hence, as more organizations utilize cloud infrastructure and deploy their software on the Cloud as part of their business model, it’s crucial to be able to understand security posture and constantly mitigate security risks by scanning their Cloud infrastructure in all environments.

IaC (Infrastructure as Code) scanning as part of your software development life cycle is step one, and now we are taking scanning to the next phase. Besides scanning your IaC files, we can now connect and scan the deployed production environments to help identify any security misconfigurations in those environments. Whether those misconfigurations come from your IaC files, manual resource provisions and changes, or resources not being up to date with current versions or security features, KICS by Checkmarx can now help solve many of these issues.

In order to help developers, DevOps, and security teams with the challenge around IaC concepts such as managing cloud resources configurations, ensuring they are aligned across all environments, while keeping up with security best practices, an organization’s policies, and mitigating risks, we introduce KICS 1.5 release.

This release enables organizations to extract cloud resources configurations from runtime environments on AWS by leveraging Terraformer capabilities. Then organizations can construct the IaC files which reflects the runtime configuration, and scan them automatically with KICS, in order to get the actual security posture as seen in the scan report, which highlights a list of vulnerabilities and misconfigurations.

By using this new capability, developers, DevOps, and security teams can now scan live production environments and get an overview of their cloud security posture. In addition, manually comparing these results with the IaC pipeline scanning can help identify any cloud configuration drift.

According to Ori Bendet, Vice President of Product Management, Checkmarx, “With this new capability we are securing cloud infrastructure a step further. Companies can now scan their IaC pipelines together with their live environments and getting a better understanding of their cloud security posture.”

While this is a major step forward of automatically comparing security findings and misconfigurations between the cloud infrastructure’s different environments, and mitigating the risks as soon as they occur, we are planning to empower developers, DevOps, and security teams even further. Soon we’ll be supporting other Cloud providers infrastructure scanning (such as Azure, GCP, etc.) and also delivering an enhanced drift detection tool called “Driffty”, which will complement KICS capabilities and provide more actionable insights on top of it. So, stay tuned to what’s coming next!

Read More

Want to learn more? Here are some additional pieces for you to read.