Penetration Testing Is Sexy, But Mature?

The buzz generated from Core Security's move to integrate with the Metasploit Framework has left me a little puzzled. Don't get me wrong: I love Metasploit. It's a fantastic tool that has certainly been put through its paces as a pen-testing tool -- it's free, open source, and extremely accessible to aspiring security professionals. And, of course, I've heard great things about Core's flagship product, Impact Pro. But the deal just seems like an odd move.I've spoken with a few friends about the announcement, and they were equally scratching their heads. We threw around a few ideas about the integration, from it being a simple a publicity stunt for keeping Rapid7 from stealing the limelight, to a legitimate effort at promoting a multitool approach to penetration testing. Since I'm an optimist, I'm sticking with the latter because it holds true to reality for how pen testers actually approach their jobs.

Just like we security pros like to say, "There's no silver bullet for security," the same hold true for pen testing. There isn't a single tool that can really do it all, and that's why companies have to take a multitool approach, as mentioned by HD Moore, Rapid7's CSO and creator of the Metasploit Project. That's why tools like Nmap, Maltego, Fierce, BurpSuite, Metasploit Framework, Impact, and hundreds of others exist. Can you imagine trying to take the functionality of all of those tools and rolling it into one?

BUT, there's a lot of good to be said about interoperability among pen-testing tools (something that's sorely lacking), and that's what Core is adding through its integration with Metasploit. For example, if a system is compromised via an exploit in Metasploit, then a Core Impact Agent can be deployed and managed via the Impact interface. Information gained from using Metasploit's db_autopwn can be brought back into the Core interface, which makes it more accessible for newer pen testers not familiar with Metasploit's msfconsole.

In other words, the data from db_autopwn is now in a pretty GUI instead of a SQLite database accessed using commands like db_host, db_vulns, and db_services within the non-GUI msfconsole.

OK, back to my original question. We all know penetration testing is sexy, right? Seriously, how many of us got into the infosec industry because we thought hacking stuff was cool? Yeah, I know...probably more than would care to admit. And what is penetration testing? That's right. It's hacking stuff -- people, computers, whatever.

But is the pen-testing software market maturing? I guess that depends if you include free, open-source projects like the Metasploit Framework. It's the only pen-testing software that's making huge headlines because of its recent purchase by Rapid7 and integration into a commercial product by Core. Yeah, I'd say it's maturing, and more companies are realizing the value of comprehensive penetration tests, but there's a long way to go before we see widespread adoption.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.