One of the reasons Metasploit is the tool of choice for so many is that it has a big user base that actively updates...
it. It's not unknown for software vulnerability advisories to be accompanied by a third-party Metasploit exploit module that highlights the exploitability, risk and remediation steps of that particular bug. Exploit code is a necessary evil for penetration testers, IDS signature developers and network administrators wanting to verify an installed patch actually works.
In order to improve on the current feature set, Metasploit is intending to add service-based features, such as a password cracker and the opcode (operation code) database. Certain exploits, such as buffer overflows, usually require precise knowledge of the position of certain machine language opcodes in the program or library being attacked. These added services from Metasploit will allow an exploit developer to test his code against multiple versions of a piece of software when only one version of the software is available.
Your question is whether you want to share any of your information with an outside provider. Critical data should only be shared with a third party if you are satisfied with their service-level agreement (SLA) and are confident the provider will deliver on it. Additionally, certain data you process may be covered by various regulatory and compliance rules restricting how, where and to whom data can be sent. The people behind Metasploit have said they may require registration and telephone confirmation to prevent abuse of the new services, but the framework is an open source project, and they are unlikely to offer an SLA.
Like similar commercial exploitation tools, such as Core Impact and Canvas, Metasploit is provided for solely legal security research and testing purposes, but can just as easily be used by malicious hackers as genuine researchers. You may feel more comfortable with a commercial relationship, but if no sensitive data is involved, then offloading resource-intensive penetration testing tasks to Metasploit looks to be an attractive option.
Related Q&A from Michael Cobb
Expert Michael Cobb explains how password change frequency and reuse for third-party apps should be addressed in enterprise password policies.continue reading
In this introduction to database security, expert Michael Cobb explains the differences between relational database and NoSQL security.continue reading
Learn how a Web-based free spam-filtering service can secure email and prevent spam from attacking your enterprise.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.