Metasploit Project acquired by vulnerability management firm Rapid7

By Neil Roiter, Senior Technology Editor, Information Security magazine 21 Oct 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The Metasploit Project and the immensely popular Metasploit Framework hacking tool has been acquired by network vulnerability management vendor Rapid7 LLC.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Financial terms of the deal were not disclosed. Metasploit will remain an open source project with the same free licensing, according to Corey Thomas, Rapid7 vice president of products and operations, but will benefit from full-time development and quality assurance (QA) staff; Metasploit creator H.D. Moore and several prime contributors join Rapid7.

Moore joins Rapid7 as chief architect of Metasploit, overseeing fulltime development and as CSO, driving much of the company's security and product strategy. Moore said the acquisition will strengthen the project.

"This is my dream taking something working on as hobby and having time, people and resources to make it better," he said. "It's a way to further my goals, getting the technology out there, getting people comfortable with using exploits to test the security of their products."

The Metasploit Project: Metasploit was created by security researcher H D Moore in 2003 as a portable network game using the Perl scripting language. It was later rewritten in Ruby. The Metasploit Framework development platform is used to perform penetration testing, IDS signature development, and exploit research.  The Metasploit Framework is described as a module launcher, allowing the user to configure an exploit module and launch it at a target system. The latest Metasploit 3.3 stable release is scheduled for mid-to-end October and is focused on quality, stability and improved usability. In 2008 Moore and the Metasploit development team changed the Metasploit Framework from a proprietary to a true open-source BSD compatible license.

"I'm hoping this money and additional time for HD and other developers will improve the stability of some of the new and exciting Metasploit exploits," he said.

Rapid7 will benefit by bringing in a well-developed exploit platform and a research team that's already heavily vested in the project, said Eric Maiwald, vice president, security and risk management strategies at The Burton Group.

"The team already exists, Rapid7 doesn't have to build it; they already know each other and have a body of research," he said. "If they can maintain the existing outside assistance too, they will have more than if they just hired a bunch of smart guys to work for them."

"NeXpose will integrate into Metasploit for pen testers to ease the process of getting vulnerability data into the pen-testing platform, and we're looking at automation around that," he said.

Skoudis said he expects this integration will reduce the problem of false positives produced by vulnerability assessment scans. The exploit piece confirms that the vulnerability actually exists. In addition, this approach moves towards better automation of pen testing.

There's a trend towards merging vulnerability assessment and pen testing tools, he added, citing SAINT Corp.'s combined product.

"These two separate and distinct market segments are now merging," he said. "The result will be more capable products that give more usable information, fewer false positives and will be more useful for penetration testers to better understand business risks."

Burton Group's Maiwald agrees that incorporating exploits improves the accuracy of vulnerability scanning, but said Rapid7 has some work to do.

"They have more work to be done to improve accuracy and reporting, and they [Rpaid7] admit they have more to do on prioritization," he said. "It will be some time until we see significant improvements in how they prioritize what they find."

The Metasploit Framework, widely used by pen testers, is used for developing, testing and executing exploit code on remote machines. The project provides pen-testing resources and information about vulnerabilities.

SearchSecurity radio:

NeXpose scans Web applications, networks, databases, operating systems, Lotus Notes and other software to find vulnerabilities, assess risk and recommend remediation.

Thomas was noncommittal when asked if Rapid7 would develop a commercial version of the Metasploit framework to compete with commercial hacking tools from companies such as Immunity and Core Security.

"We have an acceleration path now to improve stability, installation and setup and exploit coverage," he said. "We've spoken to people interested in more features and functionality that require more investment and are willing to pay, so stay tuned."

Moore said he had been approached in the past by investors who were interested in developing Metasploit into a commercial product, but that's not where his interests lay.

"Rapid7 made it clear they actually care about the community," he said. "They not only want to expand the community for Metasploit as it is now, but want to start building same kind of community around NeXpose products."

Tags: Open Source Security Tools and Applications,  Security Testing and Ethical Hacking,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Open Source Security Tools and Applications PuTTY configuration tips: How to connect to remote network systems Screencast: Find rogue wireless access points with Vistumbler Screencasts: On-screen demonstrations of security tools H.D. Moore on future of Metasploit attack platform H.D. Moore speaks about Metasploit Project deal, Release 3.3 Screencast: How to launch an OpenVAS scan Could Metasploit popularity erode? SSH key compromise shuts down Apache website Screencast: Smoothwall offers firewall defense in lean times Screencast: Samurai offers pen-testing nirvana Security Testing and Ethical Hacking Attackers zero in on Web application vulnerabilities What to do with network penetration test results Information security book excerpts and reviews H.D. Moore speaks about Metasploit Project deal, Release 3.3 Could Metasploit popularity erode? Should management processes change based on a patch release schedule? Does an EULA make it truly illegal to decompile software? Screencast: BackTrack 4 offers an arsenal of penetration testing tools Security testing firm uncovers XML vulnerabilities Screencast: Samurai offers pen-testing nirvana

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Blowfish  (SearchSecurity.com) Kermit  (SearchSecurity.com) Open Source Hardening Project  (SearchSecurity.com) SnortSnarf  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary