As many of our followers will already know, it was announced by scanner maker Rapid7 today that they will acquire Metasploit LLC, the IP for the Metasploit penetration testing framework, and hire Metasploit creator H.D. Moore and at least one other member of his team going forward.
Core Security was happy to hear this news and glad that it’s finally been made public. The Metasploit project has always been a great vehicle for exposing a lot of people to penetration testing software and techniques, and as an open source project it has applied community-based research to the idea of security testing that we deeply believe in and have provided as commercial-grade software for years – long before H.D. and his team ever wrote a line of code. We are also glad to hear that the project will have additional support and remain as open source, open license technology even while being owned and managed by a for-profit, VC-backed company. This is all great news for Core Security Technologies for a lot of different reasons.
One factor that comes immediately to mind is that the combination of Rapid7 and Metasploit validates one of the many values of penetration testing software that we’ve been promoting for years – specifically, the use of scanner data as an input feeding into the full penetration testing process and the concept that vulnerability exploitation (as part of penetration testing) can help validate and prioritize the output of scanners. I discussed the ability for Rapid7’s scanner to feed into Metasploit (as it currently stands) in a blog post filed last Spring when the two companies first announced their initial integration partnership.
Of course, CORE IMPACT has offered fully supported integration with all of the leading scanners for years, and will continue to do so, and we consider that to be a huge benefit to our business as customers have told us repeatedly that they want to use their choice of vulnerability scanners -- often more than one -- closely together in cooperation with our penetration testing solutions. Also, one must recognize that in any growth market there must be multiple vendors. Competition raises everybody’s game and expands the market, and the leader always benefits if it takes the high road and stays focused on providing maximum value to its customers. While not a new entry in the space, there is now in Rapid7-Metasploit an emerging combination that could someday turn into something interesting. While I do not know H.D. personally, many people at Core do. We would like to congratulate him and others on the Metasploit team for their success and we’re glad to see them getting recognized, and actually hired, for all the good work that they’ve contributed to the penetration testing community in the past. Today it’s the same Metasploit we’ve all come to know, but we look forward to seeing future developments.
As it stands, IMPACT Pro empowers organizations to perform automated penetration testing that closely emulates the same types of sophisticated, multi-staged attacks that organizations are seeing in the wild – without having to be a highly experienced, high powered security geek or hacker to do so. Whether recreating hacking attempts that seek to move through Web applications or endpoint vulnerabilities to get to the network and protected databases (as in the Albert Gonzalez/Heartland attacks) or emulating malware driven by social engineering that depends on end users to open attachments to find their way onto corporate networks, only IMPACT Pro (via its patented agent technology, among other things) offers the ability for testers to recreate the same types of conditions that they’re seeing today as attackers try their hardest to find any way in that they can.
IMPACT Pro is a commercial-grade solution developed by a dedicated team of full-time developers, exploit writers and QA testers, among others. IMPACT Pro is the kind of commercial-grade solution that companies and organizations require to provide safe, predictable testing capabilities across multiple vectors (network, Web applications, endpoints, end users and wireless), with in-depth onboard reporting, dedicated customer support, specialized training and regular updates. It was designed specifically for use within the diverse production environments that exist within today’s enterprises. We think that these are all factors that contribute to our unquestioned leadership in the penetration testing market and we look forward to continuing to expand the security breadth, security depth, usability, data gathering and reporting, and other advanced, easy to use, in-depth penetration testing capabilities that our many customers have come to know and rely upon.