Early yesterday the news became official first by press release, then by a very well done podcast over at Risky Business. The very popular Metasploit project was acquired by Rapid7.
Metasploit is the largest and most widely used penetration testing framework and collection of publicly available exploits. The project founder, HD Moore is a well known and respected member of the security community. Rapid7 is a provider of commercial vulnerability management software, which is a fancy way to say they do network scans for vulnerabilities and generate reports.
At first glance, detection and exploitation sound like very similar efforts. The truth is that detection and exploitation are very different efforts. Let’s imagine that Microsoft releases a patch. The folks at Rapid7 will immediately begin reverse engineering the patch. They need to understand what changes between a patched and unpatched machine and more importantly how the heck you can remotely detect a behavioural difference without crashing the target machine. Using a variety of techniques, they detect if the machine is “likely” to be vulnerable and include that in a report.
Metasploit has a much different purpose. The same reverse engineering process goes in to figuring out what changed between the patched and unpatched machine – but with a much different purpose. The purpose here is to figure out what was fixed, and once you’ve isolated what got fixed, find out how the “broken” code was exploitable. Hopefully, it’s possible to write an exploit that works with some consistency. Certainly worrying about the target machine’s stability isn’t a concern.
Aside from the research overlap, bringing Metasploit into the Rapid7 fold makes plenty of sense for the folks at Rapid7. The inclusion of the Metasploit intelligence will help them provide their customers with more realistic risk analysis. Understanding what’s “theoretically a problem” versus “what’s easily and consistency exploitable” changes risk substantially. The real risk of a single machine’s security posture may depend on a variety of prerequisites and dependencies involved in getting an exploit to work.
From the Metasploit perspective, there’s no commercial interest behind the project. So the fit is harder for folks to see. Certainly the community will have fears that Rapid7 will make the source closed and proprietary, that Rapid7 may alienate the community or that any of the useful Metasploit features will only be available at a cost. A good example of this is the Nessus project, which went to a closed source model shortly after the Tenable acquisition. Certainly the joining of open source and commercial interests has been accomplished while maintaining the community aspects as illustrated by the SourceFire maintenance of the Snort project.
Bottom line, I don’t really care what the PR department says, but if HD says the project will stay open source and continue with even more momentum and community involvement – I believe him. His credibility is rock solid and as anyone who knows him knows – he’s one of the most sincere people you’ll meet. Some disclosure here, HD also custom built the netbooks we gave away for the SecTor awards with no personal benefit or interest other than supporting the community. This move to Rapid7 will also be for the benefit of the community.