Share
Rapid7, known for vulnerability management, smart researchers and technicians, compliance, and most of all penetration testing, announced that they have acquired the one name synonymous with pentesting and open source, Metasploit. The initial reaction to this news from most of the security world is mixed, but overall the feeling is one of “wow”.
Rapid7 tightens their pentesting game – acquires Metasploit. (IMG: Metasploit.com)
You might not know Rapid7. However, if you are involved with security in the IT world, then you know all about Metasploit. As mentioned, Rapid7 deals with penetration testing, compliance and vulnerability management. The flagship offering is NeXpose, which is Rapid7’s scanner that covers Web applications, databases, networks, operating systems, and Lotus Notes, just to name a few.
Kool-Aid drinking aside, NeXpose does more than 30,000 vulnerability checks against 1,500 systems, allowing IT to discover and narrow down security risks to their assets. Adding Metasploit to this mix will be huge boost for Rapid7 in the long run.
“It’s great. Rapid7 is a really good match,” said HD Moore, the CSO for Rapid7 and Chief Architect for Metasploit.
In a blog posting, Moore covered more ground when he wrote, “Rapid7 was the right company for Metasploit for a number of reasons. First and foremost, they understand the value of the community have seen the benefits that funding a project like Metasploit can provide since our first conversation.”
“Second, the management team at Rapid7 is made up of some brilliant folks. They may not be exploit developers, but they understand business and how to make a marriage with Metasploit increase their own bottom line without destroying the value of project in the process.”
In a conversation with Rapid7 and Moore on the news, we mentioned that one solid bonus to come from this business decision will be better funding for the Metasploit Project. Moore agreed, adding that QA has been an achilles heel, as they didn’t have the staff to deal with it. That was the past however, as the influx of funding will allow them to have QA on a regular basis, allowing them to “kick ass” Moore said.
“One of the issues we run into is any feature that takes more than a couple of hours to get done, tends to get pushed off almost indefinitely, because no one really has the time to do it. The more mundane, boring, or annoying a task is the less likely it is that the community is going to jump on and help out with it,” Moore explained, adding more to how the extra funding will shape Metasploit.
“The way that our normal release process works is I’ll spend two or three weekends straight in a row doing QA, testing, builds, getting feedback, all the stuff that our normal exploit-minded development community doesn’t really want to get into. So going forward I can actually spend not only my time but other folks dedicated to the project, to getting stuff much quicker and much smoother. So hopefully we’ll see much bigger features and much more advanced features going forward.”
Rapid7’s NeXpose and Metasploit will remain separate products, but NeXpose will still be tightly integrated with Metasploit’s code. The two products combined will aid businesses with risk management.
“The way companies do it today, even if you get rid of all the false positives, going through all the vulnerabilities that are out there it’s a crap shoot about whether you’re hitting the ones that could potentially result in a data breach,” explained Corey Thomas, Vice President of Product Management and Marketing at Rapid7.
“We’ve got to help companies identify the ones that are exploitable, and of those that are exploitable, which one of them potentially has payloads that are more dangerous than others?”
However, one point made clear is that this will not be the next Nessus. Metasploit will remain open source and Rapid7 plans to contribute back into the project on a regular basis. As Metasploit is open source, Moore said that others can fork the project if they wished, but because of the acquisition the Metasploit name, domains, and more are off the table.
Another aspect to the acquisition news is the growth of the official Metasploit team. In short, HD Moore and Rapid7 are hiring. When asked about the timeline for taking on new staff Moore responded, “Tomorrow if I can land them. If they’re willing to walk away from their jobs today, we’ll hire them and get them on if the pass the interview process.”
There are a lot of good candidates lined up, Moore added, but there is still some struggle with finding an Exploit Engineer with experience with Metasploit. “We’re actually getting applications from some of our commercial competitors in that space right now.”
One spot is filled, by long time contributor and developer Egypt, who will join Moore and work on Metasploit full time as first core developer. In his new role he will deal with all the backend APIs and helping with QA on the release tree. One thing that stands out is the plan to pull staff from the Metasploit community if it makes sense to do so. There are plans to add a user interface designer and QA engineer.
One thing Rapid7 plans to do with this merger is to use it as leverage. This will help them when they are in the marketplace against firms like nCircle, Secunia, and Qualys.
“The bottom line is that customers want to know. Yes they want to know about vulnerabilities, but more importantly they want to know ‘where are all my exploitable threats,’” commented Thomas when asked if this merger will help Rapid7 with leverage.
“And to the degree that we execute well and we over-deliver there, it will be a clear differentiator and more importantly a clear value to customers.”
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story