The future of Metasploit, the highly respected, open source penetration testing framework founded by renowned security expert H.D. Moore, was plunged into doubt last month following the announcement that the project had been acquired by Rapid7.
Boston-based Rapid7 is known for its closed-source NeXpose vulnerability scanning and reporting product, and fears were immediately raised that the acquisition of Metasploit would lead to the inevitable demise of the open-source Metasploit project as it exists today. Metasploit is favored by penetration testers, corporate security staff (and hackers) because it is open source and free, but mainly because of Moore's expertise and the wide community of security experts which contributes modules to Metasploit. Alternative penetration testing systems such as Core Security Technologies' Core Impact and Immunity's Canvas are arguably easier to use, but are too expensive for many smaller organizations to buy.
The fears may be based on the precedent of Nessus, an open source vulnerability scanner which was very popular before it went closed source in 2005. Nessus is now only available for commercial use with a subscription, and lacks the community contribution that Metasploit currently enjoys.
"... Metasploit will stay open source."
So are the fears for Metasploit's future founded? Corey Thomas, Rapid7's vice president of products and operations, says the company is determined to learn from what he perceives as the mistakes made by Tenable. "Tenable was mismanaged and ended up taking away from the community but contributing nothing. What we have learned from Tenable is that to stay successful you have to add to the community, " he says. To ensure this happens, Thomas says Rapid7 has established some ground rules for itself. "We believe that the community is key, so Metasploit will stay open source."
Rapid7's motivation for the acquisition of Metasploit is a desire to enhance NeXpose. Its scanning functionality is designed to highlight known vulnerabilities and produce a prioritized remediation plan, but Thomas says that best practice involves running a penetration test as well. "There are some things that a scan won't pick up that will be picked up by a pen test," he says.
Rapid7's plan is to be able to feed the results of a penetration test carried out using Metasploit back in to NeXpose, which will then use that information to adjust the remediation actions that it recommends. (Currently NeXpose users who use Metasploit have to reconcile penetration test results and NeXpose scan data themselves, and work out for themselves what the implications of the combined data are.)
But in the past some Rapid7 customers have been unwilling to use Metasploit, in part because it is not a commercial product offered with support, and in part because in many people's eyes it is seen as a tool favored by hackers, according to Thomas. Metasploit's Web site, which features a logo with an evil-looking hacker in dark glasses leering at a computer screen, does little to dispel this image. By acquiring Metasploit, Rapid7 hopes to legitimize it and make it more acceptable to use. "Some of our customers certainly had concerns that the software was not officially supported or quality checked. Of course in practice HD (Moore) reviews the quality of all the Metasploit code anyway, but we may charge for support in the future."
Thomas says there is another motivation too: the desire on the part of Rapid7 to improve NeXpose by getting its hands on Metasploit's vulnerability research expertise. "In this market vulnerability research is like manna, and having it is a competitive advantage," he says. The best way to get it is to tap in to publicly available data sources like the Metasploit community, he believes.
A key question then is whether the community will continue to contribute to Metasploit. To try to ensure that is does, Thomas says that Rapid7 will maintain two security research teams: one for NeXpose, and another lead by Moore, who will be employed by Rapid7 as Chief Security Officer and work on the Metasploit project full time as Chief Architect. The crucial part is that the two teams will share their research, Thomas says. This goes back to his original point about giving back to the community, not just taking from it, as he believes Tenable did. "Rapid7 will give its exploits to Metasploit and the community. We don't think that the competitive advantage is in the vulnerability data itself, it's in providing the best advice for remediation."
Security professionals and hackers will be watching Metasploit keenly over the coming months to see how the story pans out. If community support dries up and Rapid7 starts charging for vulnerability updates the way that Tenable does for Nessus then Metasploit could rapidly become an irrelevance to everyone except Rapid7's customers. But if the deal results in Moore having more time to devote to the project and if the research community stays engaged with the project, the result could be a free, open source penetration testing system which is more popular, and more formidable, than ever before. That would be good news for security professionals, and good news for hackers like the one illustrated on Metasploit's web site as well.