The Metasploit Project and the immensely popular Metasploit Framework hacking tool has been acquired by network vulnerability management vendor Rapid7 LLC.
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.
Financial terms of the deal were not disclosed. Metasploit will remain an open source project, with the same free licensing, according to Corey Thomas, Rapid7 vice president of products and operations, but will benefit from full-time development and QA staff, HD Moore, Metasploit creater and several prime contributors join Rapid7.
Moore joins Rapid7 as chief architect of Metasploit, overseeing fulltime development and as CSO, driving much of the company's security and product strategy. Moore said the acquisition will strengthen the project.
"This is my dream taking something working on as hobby and having time, people and resources to make it better," he said. "It's a way to further my goals, getting the technology out there, getting people comfortable with using exploits to test the security of their products."
The Metasploit Framework development platform is used to perform penetration testing, IDS signature development, and exploit research.
The Metasploit Framework is described as a module launcher, allowing the user to configure an exploit module and launch it at a target system.
The latest Metasploit 3.3 stable release is scheduled for mid-to-end October and is focused on quality, stability and improved usability.
In 2008 Moore and the Metasploit development team
changed the Metasploit Framework from a proprietary to a true open-source BSD compatible license.
Acquisition benefits project.
Moore's dedicated time--he's been working on the project as his schedule allows--and the infusion of full-time staff and money is good news for the security community, said Ed Skoudis, founder and senior security consultant for InGuardians.
"I'm hoping this money and additional time for HD and other developers will improve the stability of some of the new and exciting Metasploit exploits," he said.
Rapid7 will benefit by bringing in a well-developed exploit platform and a research team that's already heavily vested in the project, said Eric Maiwald, vice president, security and risk management strategies at The Burton Group.
"The team already exists, Rapid7 doesn't have to build it; they already know each other and have a body of research," he said. "If they can maintain the existing outside assistance too, they will have more than if they just hired a bunch of smart guys to work for them."
Integration with Rapid7 NeXpose.
Rapid7 is working to integrate its NeXpose product's vulnerability assessment and Metasploit's exploit capabilities to improve risk scoring and prioritize vulnerabilities, Thomas said.
"NeXpose will integrate into Metasploit for pen testers to ease the process of getting vulnerability data into the pen-testing platform, and we're looking at automation around that," he said.
Skoudis said he expects this integration will reduce the problem of false positives produced by vulnerability assessment scans. The exploit piece confirms that the vulnerability actually exists. In addition, this approach moves towards better automation of pen testing.
There's a trend towards merging vulnerability assessment and pen testing tools, he added, citing SAINT Corp.'s combined product.
"These two separate and distinct market segments are now merging," he said. "The result will be more capable products that give more usable information, fewer false positives and will be more useful for penetration testers to better understand business risks."
Burton Group's Maiwald agrees that incorporating exploits improves the accuracy of vulnerability scanning, but said Rapid7 has some work to do.
"They have more work to be done to improve accuracy and reporting, and they [Rpaid7] admit they have more to do on prioritization," he said. "It will be some time until we see significant improvements in how they prioritize what they find."
The Metasploit Framework, widely used by pen testers, is used for developing, testing and executing exploit code on remote machines. The project provides pen-testing resources and information about vulnerabilities.
NeXpose scans Web applications, networks, databases, operating systems, Lotus Notes and other software to find vulnerabilities, assess risk and recommend remediation.
Thomas was noncommittal when asked if Rapid7 would develop a commercial version of the Metasploit framework to compete with commercial hacking tools from companies such as Immunity and Core Security.
"We have an acceleration path now to improve stability, installation and setup and exploit coverage," he said. "We've spoken to people interested in more features and functionality that require more investment and are willing to pay, so stay tuned."
Moore said he had been approached in the past by investors who were interested in developing Metasploit into a commercial product, but that's not where his interests lay.
"Rapid7 made it clear they actually care about the community," he said. "They not only want to expand the community for Metasploit as it is now, but want to start building same kind of community around NeXpose products."