Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Metasploit Project acquisition ups ante for penetration testing market

Rapid7's acquisition of the Metasploit Project takes down one of the few remaining open source security projects. But expect a smooth transition; there have been many success stories and mistakes made to learn from.

There's a little bit of Marty Roesch in HD Moore. When you hear Moore tell his story of spending long hours, literally and figuratively in his basement, pounding out the Metasploit penetration testing framework, you can't help but think you've heard this tale before. And that's because you have, from Roesch the man who wrote Snort in the bowels of his Maryland home, after hours, on weekends and during any other spare moment he had.

Both of these guys put in a lifetime's worth of sweat and tears into their respective pet projects. Both built enormously popular and influential security programs. Both decided to share the labor of their love with the world by putting Snort and Metasploit out there as open source. And it's not a stretch to think the safety of many of the world's most critical IT systems is due in some part to these very different tools.

Oct. 21 marked the end of an era when vulnerability management vendor Rapid7 announced it had acquired the Metasploit Project and framework. Metasploit was one of the few open source security projects still standing. Snort was commercialized by Roesch with the formation of Sourcefire in 2001, which in time also acquired the popular Clam AV. Meanwhile, Tenable Network Security, in 2005, changed the licensing on the Nessus vulnerability scanner making a great deal of its code closed source.

Moore, along with Rapid7 executives, promise to maintain Metasploit as open source and tried to soothe any early anxieties of the Metasploit community by pointing out that for the first time, the project will have dedicated and paid resources. That, Moore says, will translate into faster and better updates. One would have to think that it would be an inevitability that Metasploit is commercialized as a standalone product, a move that would put it in the crosshairs of Core Security's Core Impact product and Immunity's CANVAS platform. But for now, Rapid7 says it will integrate Metasploit's exploit capabilities with its NeXpose vulnerability assessment tool.

As for Moore, he says he's been pinged with offers before for Metasploit, but mostly by companies wanting to commercialize it and not so cognizant of the community that uses, supports and contributes to the project.

"During discussions we had about the integration of the product, it became clear they actually care about the community," Moore says, pointing out that prominent members of Rapid7's professional services team were already contributors to Metaspolit already. "Over the last couple of months, we talked about the impact to community. One of the things that appealed to me is that the licensing for the Metasploit framework as it is isn't going to change. The product will be offered for free. It will still be under an open source license. It will still have the same community developers, but instead some of those developers will be getting paychecks and dedicated QA resources for the framework itself."

The licensing issue is a huge one, and one that tore into the Nessus community. In 2005, when Nessus3 became closed source, the decision was made to offer the core Nessus engine for free, but charge up to $100 a month for plug-ins and updates. Sourcefire also made some licensing changes to Snort, but maintained the project as open source and engaged the community that helped build it. You can bet Moore will look at the outcome of both scenarios as he and Rapid7 guide the future of Metasploit.

"One scenario you want to avoid is Tenable; it's the absolute worst example of somebody taking an open source product and pissing off an entire community and getting nothing back out of it," Moore says. "By closing off the community and shutting everyone out, they lost huge marketing. They lost an entire draw for their commercial product just by shutting out the community of developers by their license change, and anti-community attitude. We want to make it clear that our community will get a lot more stuff for free and faster. Faster exploit turnaround, more QA releases, more frequent releases, more dedicated folks doing support on it, as well as exploit development and bug fixes."

In the end, this might be a boon for the security of enterprise networks that must undergo regular pen tests to satisfy industry and federal regulatory mandates. Nick Selby, managing director of Trident Risk Management, wrote an analysis of the deal and its impact on the market on the IANS Perspective Blog. Long story short, Selby says if Rapid7 pulls off the integration and works on the usability of its product, it will force Core and Immunity to up their games. Selby cautions that Rapid7 is at a marketing and sales disadvantage when it comes to the quality control and safety of exploits -- not to mention "derivation of the exploits"), in comparison to Core and Immunity, which have established processes in both areas.

"Assuming that Rapid7 and Metaspolit are able to integrate and address those issues, then the dynamics will change at both Core and Immunity," Selby writes. "The best thing about the acquisition is that enterprise customers now have three legitimate, sue-able and responsible organizations proffering tools for penetration testing. Quality will likely rise, average price will likely fall, and functionality will likely increase. This is a good time to be in the market for pen-test software."


Michael S. Mimoso is Editor of Information Security. Send comments on this article to [email protected].

Dig Deeper on Hacker tools and techniques: Underground hacking sites