Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Metasploit Project Sold To Rapid7
- From: Howell, Paul
- Date: Wed Oct 21 09:21:14 2009
At
http://www.darkreading.com/vulnerability_management/security/management/
showArticle.jhtml?articleID=220800067
Metasploit Project Sold To Rapid7
Open-source Metasploit penetration testing tool creator HD Moore joins
Rapid7, commercial Metasploit products to come
Oct 21, 2009 | 09:00 AM
By Kelly Jackson Higgins
DarkReading
Vulnerability management vendor Rapid7 has purchased the popular
open-source Metasploit penetration testing tool project and named
Metasploit founder HD Moore as chief security officer of the company.
Moore, who is synonymous with the Metasploit Project , will continue as
chief architect of Metasploit in his new role at Rapid7, and with an
initial team of five Rapid7 researchers dedicated to the open-source
project, some of whom already have been regular contributors to
Metasploit. Financial terms of the deal were not disclosed.
Rapid7 plans to enhance its NeXpose vulnerability management product
line and its own penetration testing services with Metasploit
technology. The details on how Rapid7 -- which uses Metasploit in its
penetration testing engagements -- will productize Metasploit are still
being ironed out: Corey Thomas, vice president of products and
operations at Rapid7, says he expects Rapid7 to keep Metasploit as a
separate product with "high integration" with its existing products.
"But this is all conjecture at this time," he says.
The goal is to leverage Metasploit's exploit technology to help identify
which vulnerabilities discovered by NeXpose are actually exploitable,
according to Thomas. "One of the things our customers have been pushing
us for is how to get better data and information about their risk," he
says. "And exploits are the key to that."
Either way, the potential for a commercial version of Metasploit
represents a major shift in the penetration testing market, where
vendors such as Core Security and Immunity Inc. have offered more
user-friendly tools for enterprises.
Moore says the Rapid7 acquisition of Metasploit gives the project
full-time resources -- Moore and his co-developers of Metasploit
traditionally have done their work on the tool after-hours, during lunch
breaks, and over weekends. "We are pretty competitive with Core and
Immunity based on exploit coverage and features. But this is a great way
to push the project forward ... and kick ass in the commercial sector if
we want to go in that direction," Moore says.
This also will speed up turnaround of new features in Metasploit, he
says. "It's night and day. I can now get a feature done in a business
day, not over an entire weekend ... I'm excited to be able to work on
this full-time."
Metasploit will also now have Rapid7's vast lab resources, and the
ability to get more exposure for the project, he says, and expand the
opportunities for existing Metasploit contributors as well.
Both Moore and Rapid7 say they are well aware of previous open-source
and commercial marriages that have gone south, however, such as the
Nessus scanning tool, which went from an open-source to a proprietary,
closed-source license under Tenable Network Security. They say they are
focusing on the open source community to leverage Metasploit. "Our goal
is to make sure we improve the open-source" element, Thomas says.
"Metasploit will remain open source."
"My goal is if we decide to go commercial, all the features and
components are going into open-source" Metasploit as well, Moore says.
"We started talking to HD and the Metasploit Project folks a few months
ago about how to tie in the exploit data [with our products and
offerings]," Rapid7's Thomas says. "How could we invest and contribute
to the Project over time for a more robust database [of exploits] at our
disposal ... We want to use high-quality exploit data to help prioritize
risk and get better insight into which attacks are most likely," for
example, he says.
Moore says the combination of Metasploit's exploits and Rapid7's
vulnerability reports would go "a lot further than any tool in the
market" today in vulnerability assessment and penetration testing.
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
