News

Rapid7 Acquires Open Source Metasploit Security Project

• By Jabulani Leffall
• 10/21/2009

An independent security researcher and a prominent figure in open source exploit data collection now has a new commercial home.

Rapid7, a vulnerability management company, announced on Wednesday that it had acquired H.D. Moore's Metasploit Project for an undisclosed amount.

What would normally be a run-of-the-mill business transaction has larger implications for the IT security ecosystem. Rapid7's financial backing could have lasting effects on the way bugs, bots and worms are studied, detected and ultimately expunged. Metasploit currently is the principal group behind open source penetration testing. It could become the primary Internet resource for vulnerability data if Rapid7's commercial backing proves successful.

"I'm aware of the potential implications and we want to maintain what we've been known for up to this point," Moore said in an interview. "In this case, the goals come together really well and the marriage [of] companies is a good one."

From Rapid7's perspective, having an exploit data clearinghouse under its corporate umbrella could be an exciting commercial proposition, according to Corey Thomas, vice president of products and operations at Rapid7.

"For many companies -- in fact, I would say for most -- there are too many vulnerabilities out there to consider when you're thinking about your entire patch cycle," Thomas said. "What we want to do with this deal is attempt to capture any and all information that puts a company's data integrity and network at risk."

Rapid7 will benefit from Moore's industry expertise, too, which in some ways is just as valuable -- if not more so -- than the Metasploit database, the Web site and all of its technical accoutrements.

According to Moore, the merger comes at a time when he believes the overall "well of Windows vulnerabilities" seems to be drying out at the operating system and kernel levels, giving way to stronger bugs that affect individual Microsoft applications as well as third-party applications. However, the fundamentals of detection and protection remain the same, even with bug iterations moving away from the core OS.

For instance, Moore said, there may soon come a day when many Windows PCs running XP (or another OS) have SaaS-based applications from Microsoft and third parties sitting on them. When that happens, many so-called "magic" plug-ins and third-party apps with inherent holes will be exposed.

"We're seeing more and more niche vulnerabilities and third-party vulnerabilities," Moore said. "This is where the challenge comes into play -- finding these vulnerabilities."

Moore added that the risks are the same with virtualization and cloud computing.

"It's the same case," he said. "Now you have the additional risk or a risk transfer to a virtual client software program, a virtual network or virtual workstation where exploits still need to be detected and flushed out."

As for the acquisition itself, Moore said that this particular merger -- that of a security firm and an open source community project -- is unique.

"The problem with traditional acquisitions of open source technology is that it typically ends up burning the community," said Moore, who added that companies looking to monetize free technology can often kill both the spirit and effectiveness of that technology. "For Metasploit, what we provide now will stay free. We want to go in the opposite direction of most mergers."

As with most open source projects, security experts say, Metasploit would have eventually needed financial backing to continue to offer its resources for free and stay up-to-date with exploit data.

Diana Kelley, partner and analyst for security consultancy SecurityCurve, said that for a number of years now, open source community security projects have been providing important contributions to risk prevention research and technology.

"Without proper support, however, it can be difficult to keep community projects running and open source software current," she said.  

Moore stressed that the merger aside, Metasploit will continue to expand its exploit library and "create a broader platform with publicly available exploits" to help IT shops and users "stay ahead of the changing threat landscape."