One of the reasons Metasploit is the tool of choice for so many is that it has a big user base that actively updates...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
it. It's not unknown for software vulnerability advisories to be accompanied by a third-party Metasploit exploit module that highlights the exploitability, risk and remediation steps of that particular bug. Exploit code is a necessary evil for penetration testers, IDS signature developers and network administrators wanting to verify an installed patch actually works.
In order to improve on the current feature set, Metasploit is intending to add service-based features, such as a password cracker and the opcode (operation code) database. Certain exploits, such as buffer overflows, usually require precise knowledge of the position of certain machine language opcodes in the program or library being attacked. These added services from Metasploit will allow an exploit developer to test his code against multiple versions of a piece of software when only one version of the software is available.
Your question is whether you want to share any of your information with an outside provider. Critical data should only be shared with a third party if you are satisfied with their service-level agreement (SLA) and are confident the provider will deliver on it. Additionally, certain data you process may be covered by various regulatory and compliance rules restricting how, where and to whom data can be sent. The people behind Metasploit have said they may require registration and telephone confirmation to prevent abuse of the new services, but the framework is an open source project, and they are unlikely to offer an SLA.
Like similar commercial exploitation tools, such as Core Impact and Canvas, Metasploit is provided for solely legal security research and testing purposes, but can just as easily be used by malicious hackers as genuine researchers. You may feel more comfortable with a commercial relationship, but if no sensitive data is involved, then offloading resource-intensive penetration testing tasks to Metasploit looks to be an attractive option.
Dig Deeper on Productivity apps and messaging security
Related Q&A from Michael Cobb
A flaw in the open source graphics library libpng enabling denial-of-service attacks was discovered. Expert Michael Cobb explains how the ...continue reading
Flaws in the Apple Notify function and iTunes can enable attackers to inject malicious script into the application side. Expert Michael Cobb explains...continue reading
Facebook's Delegated Recovery aims to replace knowledge-based authentication with third-party account verification. Expert Michael Cobb explains how ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.