Core Security Releases Latest Version Of Core Impact Pro

Core Impact Pro v10.5 includes integration with the Metasploit penetration-testing framework and Qualys PCI Connect SaaS platform

April 19, 2010

6 Min Read


BOSTON " April 19, 2010 - Core Security Technologies, provider of CORE IMPACT Pro, the most comprehensive product for proactive enterprise security testing, today announced CORE IMPACT Pro v10.5, the latest update to its flagship automated penetration testing software solution. This latest version of CORE IMPACT Pro provides customers with previously unavailable capabilities to integrate their diverse security testing, vulnerability management and compliance initiatives to more efficiently address their diverse IT security needs.

Among the updates to IMPACT Pro v10.5 are:

Integration with the Metasploit penetration testing framework

Integration with Qualys PCI Connect SaaS platform

Support for the Security Content Automation Protocol (SCAP)

Enhancements to the CORE IMPACT Dashboard and Usage Statistics

Use of the AES encryption standard for IMPACT Agent communications

Microsoft Windows 7 64-bit support

"IMPACT Pro continues to add the specific types of capabilities that today's enterprise security organizations need to best address their penetration testing requirements, from integration with other systems to expanded features and support," said Steve Shead, Director of IT & Information Security Officer and at "IMPACT Pro is constantly growing and diversifying to meet our needs as we continue to mature our overall vulnerability management programs."

Integration with the Metasploit Penetration Testing Framework

With CORE IMPACT Pro v10.5, customers can now integrate penetration testing efforts carried out using the solution and the open source Metasploit penetration testing framework. As many of today's advanced testers seek to incorporate multiple tools to gain maximum coverage, this new integration offers users of the two systems the ability to utilize Core's commercial-grade, automated solution " with its massive library of professionally developed exploits, easy-to-use interface, and in-depth reporting capabilities " directly alongside Metasploit.

The integration specifically allows testers to:

Bring a system compromised during testing with Metasploit into the IMPACT environment and deploy an IMPACT Pro Agent to:

o Launch IMPACT Pro's full range of capabilities from the compromised system.

o Utilize IMPACT's exploits, pre- and post-exploitation capabilities for in-depth, comprehensive attack replication.

o Pivot penetration tests to other systems, mimicking an attacker's attempts at identifying and exploiting paths of weakness to backend systems and data.

Use IMPACT Pro's automated Rapid Penetration Test (RPT) to exploit vulnerabilities, then launch Metasploit's db-autopwn feature and subsequently upload the results back into IMPACT Pro.

Test results garnered via these methods are also consolidated into IMPACT Pro reports, providing centralized, actionable data regarding critical risks and any exposed electronic assets to inform remediation efforts.

Integration with Qualys PCI Connect SaaS Platform As organizations continue to mature their vulnerability assessment and compliance automation programs, integration between penetration testing solutions and vulnerability scanning technologies has become a tacit requirement to lend greater speed and consistency to their work and meet auditors' expectations.

IMPACT Pro v10.5 offers fully supported integration with the QualysGuard' PCI Connect program, the industry's first Software-as-as-Service (SaaS) ecosystem for compliance with the Payment Card Industry's Data Security Standard " which affects all organizations processing credit and debit card data.

Qualys customers can now address PCI DSS Requirement 11.3 " which directs merchants to perform in-depth penetration testing on a frequent basis " and run IMPACT Pro's PCI Vulnerability Validation Report to complete their Self Assessment Questionnaire (SAQ) within the QualysGuard PCI Connect interface.

IMPACT Pro also allows organizations to carry out a wide range of security assessments dictated by other PCI DSS guidelines and validate the efficacy of many other mandated security controls.

"Section 11.3 of PCI DSS requires annual penetration tests anytime there is a significant infrastructure or application upgrade or modification," said Philippe Courtot, chairman and CEO of Qualys. "QualysGuard PCI Connect now integrates with CORE IMPACT Pro to help customers automate the penetration testing process and the verification of exploitable vulnerabilities."

Support for the Security Content Automation Protocol (SCAP) Launched by the U.S. National Institute of Standards and Technology (NIST) and National Security Agency (NSA) as a common format for exchanging IT security data, SCAP comprises a suite of specifications for organizing and expressing security-related information in standardized manner.

In support of the SCAP standard, CORE IMPACT Pro v10.5 incorporates the following data into its reports and is also able to export the data in XML format for use in centralized security databases:

* Common Vulnerabilities and Exposures (CVE) Numbers * Common Vulnerability Scoring System (CVSS) Ratings * Common Platform Enumeration (CPE)

CORE IMPACT Pro Dashboard and Usage Statistics Enhancements To further advance ease-of-use in IMPACT Pro and enable customers to benchmark and compare their security testing initiatives, CORE IMPACT Pro v10.5 adds a range of improvements to its Dashboard interface, including more intuitive presentation of product usage statistics " both for consumption within the organization and for sharing anonymously with the opt-in Customer Community Data Aggregation program.

The updated Dashboard presents new categories of usage statistics, including a wide range of tactical web application and wireless infrastructure assessment results. In addition, the new release allows customers to gain insight into vertical testing trends by tagging their industry categories to usage statistics as part of the Customer Community Data Aggregation Program.

Use of the AES Encryption Standard for IMPACT Agent Communications AES is the most current and popular encryption standard, and CORE IMPACT Pro v10.5 updates agent communications to use AES encryption for interactions carried out between the product's Console and any IMPACT Agents deployed on systems while undergoing penetration tests.

Widely adopted by the U.S. government, the AES encryption standard replaces the product's previous encryption capabilities and can now be used for all communications between IMPACT Pro and compromised systems, masking exploitable vulnerability data, target system configuration, and exposed files, among other data streams.

Microsoft Windows 7 64-bit Support CORE IMPACT Pro v10.5 can now be installed on 64-bit versions of Windows 7 Pro and Ultimate.

"It's vitally important to arm today's organizations with the ability to carry out more coordinated and informed security testing and benchmarking, as well as address their compliance requirements in the most efficient manner possible, and CORE IMPACT v10.5 specifically targets all of these requirements," said Mark Hatton, CEO of Core Security. "As the litany of advanced threats and compliance audit demands, as well as the overwhelming avalanche of security systems and event data, continue to challenge organizations to find better methods to identify and address their most critical points of risk, we continue to raise the bar in delivering automated solutions to meet those specific needs."

About Core Security Technologies Core Security Technologies provides IT security executives with comprehensive security testing and measurement of their IT assets by adding real-world actionable intelligence and verification to their IT security management efforts. Our software products build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at 617-399-6980 or on the Web at:

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights