One of the reasons Metasploit is the tool of choice for so many is that it has a big user base that actively updates it. It's not unknown for software vulnerability advisories to be accompanied by a third-party Metasploit exploit module that highlights the exploitability, risk and remediation steps of that particular bug. Exploit code is a necessary evil for penetration testers, IDS signature developers and network administrators wanting...
to verify an installed patch actually works.
In order to improve on the current feature set, Metasploit is intending to add service-based features, such as a password cracker and the opcode (operation code) database. Certain exploits, such as buffer overflows, usually require precise knowledge of the position of certain machine language opcodes in the program or library being attacked. These added services from Metasploit will allow an exploit developer to test his code against multiple versions of a piece of software when only one version of the software is available.
Your question is whether you want to share any of your information with an outside provider. Critical data should only be shared with a third party if you are satisfied with their service-level agreement (SLA) and are confident the provider will deliver on it. Additionally, certain data you process may be covered by various regulatory and compliance rules restricting how, where and to whom data can be sent. The people behind Metasploit have said they may require registration and telephone confirmation to prevent abuse of the new services, but the framework is an open source project, and they are unlikely to offer an SLA.
Like similar commercial exploitation tools, such as Core Impact and Canvas, Metasploit is provided for solely legal security research and testing purposes, but can just as easily be used by malicious hackers as genuine researchers. You may feel more comfortable with a commercial relationship, but if no sensitive data is involved, then offloading resource-intensive penetration testing tasks to Metasploit looks to be an attractive option.
Dig Deeper on Securing Productivity Applications
Related Q&A from Michael Cobb
Pretty Good Privacy is nearly 25 years old and still widely used -- but is it as effective as it once was? Application security expert Michael Cobb ...continue reading
Homomorphic encryption can be used to bypass encryption, but it's for the good of all. Application security expert Michael Cobb explains.continue reading
Security expert Michael Cobb discusses the next iteration of HTTP -- HTTP/2 -- including how it's different from HTTP and how enterprises should ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.