Kali Linux evolution: What’s next for the open source pentesting Linux distro?
When the popular security-focused BackTrack Linux distribution was redesigned from the ground up and given the name Kali Linux nearly seven years ago, I remember thinking that it was a fantastic name – and fitting, too.
I had the vivid image of the many-handed Hindu goddess of time and change in my mind, with her typical fierce expression and wielding a weapon/tool in each hand, and made an instant association with the newly Debian-based distro containing hundreds of preinstalled penetration testing programs.
As it turned out, its developers did not have the goddess in mind – or anything else, really – when they chose the new name, but the association stuck with me as I continued to follow the distro’s development through the years.
The Kali Linux user base
Kali Linux is a household name for people working in the information security arena. Not everyone uses it, but they do know about it.
According to Jim O’Gorman, Chief Content and Strategy officer at Offensive Security and leader of the Kali team, Kali users generally fall into two buckets: highly informed, experienced professionals/hobbyist and individuals that are new to Linux in general.
“As a whole, I think it’s fair to say that we build and design Kali for security professionals and hobbyists to utilize as a base platform for their work. These are individuals that could easily roll their own version of Linux for their needs, but if Kali is done right, it’s a no-brainer to use it and save the work and effort that would go into building your own,” he told Help Net Security.
“As you can imagine, this is a picky user base that knows what they want and what they are doing. Our [development] decisions are made with these individuals in mind.”
That is not to say that the input and wishes of the “new to Linux” user base are unwelcome or not considered. “Today’s new users are tomorrow’s professionals. They extend a hand and help lead Kali in the right direction,” O’Gorman notes. “We listen to them, but give them what they need – which is not always what they want.”
It’s difficult to say how many users are there are in total, as the project does not track users in any way: there is no phone home capability, no registration process, or anything similar.
“Any number we say of active users really is speculation. However, we know it’s sizeable not just based on community activity but based on the fact that downloads and repo activity was so large that we had to fall back to CloudFlare to implement a clever solution to allow us to continue to grow, as our traditional mirror network was not growing fast enough,” he added.
Development and feedback
The Kali open source project is funded and maintained by Offensive Security and Kali development is decided on and performed by a very small core team. Still, over the last year, they’ve made it a priority to leverage contributions from outside of it.
“We have moved our entire git tree from a private server to GitLab, and we are benefiting a lot from what GitLab has to offer, such as CI. We have opened our documentation to accept outside contributions, have documented the process for creating community generated packages, and so much more,” O’Gorman told us.
“That said, the core team is responsible for the basic duties. We have on staff QA, project management, and so on. Much of dealing with the load is a matter of being smart with what we do. Being a Debian derivative helps a lot, as we are not building the entire operating system from scratch.”
They have weekly calls where they check on status, see what’s happening, and ensure they all have the pulse of what’s going on. Everyone has core responsibilities, but they all chime in on various topics from time to time.
They have a feature roadmap that they would like to see. After each release, they review items to call down as priorities.
“Our quarterly releases cadence ensures a good pace and keeps us moving forward. Because of our relationship with OffSec, we always work closely with penetration testers who are in the field and give us regular feedback on what is and what is not helpful for them, features they would like to see, and so on. And of course there is community feedback – it is always valuable to know where effort is best placed,” he added.
“We have the forums, bug tracker, documentation, and git as opportunities for individuals to make their needs known or even contribute to accomplishing whatever it is they are requesting. Self-empowerment of the user base is critical to Kali’s ability to scale as we continue to grow and move forward.”
Sustainability and future plans
O’Gorman took over ownership of the Kali project from Mati Aharoni, the (now retired) founder of Offensive Security and one of the original developers of BackTrack and Kali.
“This was nothing but an honor and one I took with a humbling sense of responsibility,” he noted. “Growing up in open source, seeing the impact it has to the world and knowing the importance of Kali in the information security space, I knew that the team and I are caretakers that have a responsibility to nurture the project forward.”
Part of the effort is focused on keeping the project sustainable, and making use of services – such as the donated content delivery network from CloudFlare, the professional hosting from GitLab, and others – is crucial.
Opening Kali up to more for community contribution is another of their goals. In the more immediate future, the project’s plan is to move the Kali Tools into git and make public a roadmap and project management.
As to the distro itself: they are just starting up the cycle to build toward 2020.2 and are looking at:
- Automation of cloud releases
- More/new ARM device support
- More documentation
- Updating NetHunter to newer versions of Android
- Improving continuous integration with upstream Debian packages, and more.
As to the direction in which we can expect Kali to evolve in the coming years, O’Gorman says it’s really hard to say.
“I will admit that I don’t like to over plan in areas that I know will change before we get a chance to implement due to the wasted cycles that it creates. As long as we are heading ‘north,’ I don’t need to know the specific roads that we will take along the way,” he noted.
“On the broad strokes, I want to see Kali continue to meet the needs of being the industry-standard penetration testing platform. I want to see the pathway for community interaction continue to grow so the development of Kali is not dependent on just the core team. I want to see the quality continue to increase, the device support continue to grow, the user experience continue to be industry-leading. And I want to be able to be responsive to industry trends and directions along the way.”