One of the reasons Metasploit is the tool of choice for so many is that it has a big user base that actively updates...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
it. It's not unknown for software vulnerability advisories to be accompanied by a third-party Metasploit exploit module that highlights the exploitability, risk and remediation steps of that particular bug. Exploit code is a necessary evil for penetration testers, IDS signature developers and network administrators wanting to verify an installed patch actually works.
In order to improve on the current feature set, Metasploit is intending to add service-based features, such as a password cracker and the opcode (operation code) database. Certain exploits, such as buffer overflows, usually require precise knowledge of the position of certain machine language opcodes in the program or library being attacked. These added services from Metasploit will allow an exploit developer to test his code against multiple versions of a piece of software when only one version of the software is available.
Your question is whether you want to share any of your information with an outside provider. Critical data should only be shared with a third party if you are satisfied with their service-level agreement (SLA) and are confident the provider will deliver on it. Additionally, certain data you process may be covered by various regulatory and compliance rules restricting how, where and to whom data can be sent. The people behind Metasploit have said they may require registration and telephone confirmation to prevent abuse of the new services, but the framework is an open source project, and they are unlikely to offer an SLA.
Like similar commercial exploitation tools, such as Core Impact and Canvas, Metasploit is provided for solely legal security research and testing purposes, but can just as easily be used by malicious hackers as genuine researchers. You may feel more comfortable with a commercial relationship, but if no sensitive data is involved, then offloading resource-intensive penetration testing tasks to Metasploit looks to be an attractive option.
Dig Deeper on Securing Productivity Applications
Related Q&A from Michael Cobb
Oracle has moved from using a modified version of CVSS v2.0 to CVSS v3.0. Expert Michael Cobb explains criticism of the old version, and the changes ...continue reading
QuickTime for Windows was found to have two zero-day vulnerabilities, and was then suddenly moved to end of life by Apple. Expert Michael Cobb ...continue reading
Google's second Android Security Report revealed changes and upgrades made to the OS. Expert Michael Cobb covers the important takeaways for ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.