Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/19/2010
05:11 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Metasploit: One Year After The Rapid7 Acquisition

Pen testers weigh in on whether the deal was a success or a sellout

When Rapid7 bought the Metasploit Project exactly one year ago this week, there were rumblings of concern that the open-source penetration testing tool would lose its identity and go all commercial. Metasploit indeed has gone commercial -- there are new commercial versions of the tool available now from Rapid7 in addition to the open-source framework -- but most penetration testers say the tool has maintained its open-source roots and is evolving much more rapidly with the added development resources.

Rapid7 rocked the penetration testing marketplace with its announcement it had purchased the Metasploit Project and hired its creator, HD Moore, as chief security officer of the company. Moore and Rapid7 executives were adamant about avoiding a failed open source-commercial marriage such as that of the Nessus scanning tool, which went from an open-source to a proprietary, closed-source license under Tenable Network Security. Their goal was to instead both improve and preserve the open-source framework, while making a commercial version of Metasploit as well.

Rapid7 marked the one-year anniversary of the union this week with the availability of Metasploit Pro, an enterprise version of the popular hacking tool that allows unrestricted, remote access to networks and comes with features such as collaboration, custom Web application testing, antivirus evasion, and social engineering.

Meanwhile, there have been 1 million downloads and updates to the open-source Metasploit Framework since Rapid7 took it in-house, and release cycles have gone from nine to 12 months to once a week now with the additional resources for the project, according to Rapid7's Moore. There are 120,000 active members of the Metasploit community, and 164 new exploits have been added to the Metasploit Framework since the acquisition. "The biggest difference now is that it's more than a one-person project," Moore says. "The project has more flexibility now" and includes quality assessment, he says. "It has commercial quality surrounding it."

Moore says the biggest challenge with the Rapid7-Metasploit union is responding to feedback and patch submissions quickly enough. Keeping the community developers in the loop and in lockstep with the internal development work is also a challenge.

"Many of the outside developers have pet projects, but these can fall by the wayside if the supporting code is churning faster than they can keep up," he says. "Prior to Rapid7, we received contributions for almost all levels of the framework, from the modules, which are mostly stand-alone, to the core libraries, payloads, and user interfaces. After the acquisition and due to the pace of development happening on the back end, most of the new contributions focus on the areas that require less work to keep up with the API, namely the modules and plug-ins. We are still seeing more contributions than ever before on the modules side, but most of the core development work now happens in our team."

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5230
PUBLISHED: 2019-11-13
P20 Pro, P20, Mate RS smartphones with versions earlier than Charlotte-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than Emily-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than NEO-AL00D NEO-AL00 9.1.0.321(C786E320R1P1T8) have an improper validation vulnerability. The system does not perform...
CVE-2019-5231
PUBLISHED: 2019-11-13
P30 smartphones with versions earlier than ELLE-AL00B 9.1.0.186(C00E180R2P1) have an improper authorization vulnerability. The software incorrectly performs an authorization check when a user attempts to perform certain action. Successful exploit could allow the attacker to update a crafted package.
CVE-2019-5233
PUBLISHED: 2019-11-13
Huawei smartphones with versions earlier than Taurus-AL00B 10.0.0.41(SP2C00E41R3P2) have an improper authentication vulnerability. Successful exploitation may cause the attacker to access specific components.
CVE-2019-5246
PUBLISHED: 2019-11-13
Smartphones with software of ELLE-AL00B 9.1.0.109(C00E106R1P21), 9.1.0.113(C00E110R1P21), 9.1.0.125(C00E120R1P21), 9.1.0.135(C00E130R1P21), 9.1.0.153(C00E150R1P21), 9.1.0.155(C00E150R1P21), 9.1.0.162(C00E160R2P1) have an insufficient verification vulnerability. The system does not verify certain par...
CVE-2010-4177
PUBLISHED: 2019-11-12
mysql-gui-tools (mysql-query-browser and mysql-admin) before 5.0r14+openSUSE-2.3 exposes the password of a user connected to the MySQL server in clear text form via the list of running processes.