Rapid7 Expects Big Payoff by Sponsoring Open Source w3af
Vulnerability management provider once again invests in open source to maintain a leadership position
By Alan Shimel on Wed, 07/28/10 - 1:54pm.
For the second time in a little over a year vulnerability management firm Rapid7 has made a significant investment in open source security tools. This time they have announced a sponsorship of the w3af (web application attack and audit framework). An open source project that is a leader in the web application vulnerability testing space.
The driving force behind w3af, Andres Riancho joins the Rapid7 team as director of Web security and Rapid7 will be opening a Worldwide Center of Excellence for enhanced Web security in Buenos Aries, where Riancho resides.
This is the second significant move into open source security by Rapid7. Previously they acquired the Metasploit penetration testing project directed by renowned security researcher HD Moore. Unlike the Metasploit acquisition, Rapid 7 is not buying the IP of the w3af. They are just investing in the project as a sponsor. The licensing for the project, copyright holders and IP ownership will remain with w3af. Rapid7 will be contributing resources as well as cash.
Web application vulnerabilities are the front line in the vulnerability management war today. Over the past 3 to 5 years the action has moved away from OS and standard vulnerabilities towards web apps. A majority of vulnerabilities today are web app based. As a result most of the web vulnerability players like Qualys, nCircle, eEye and IBM have moved towards scanning and testing for web application vulnerabilities as well. In addition a whole cadre of stand alone web application vulnerability companies have arisen to help deal with this this threat. Companies like White Hat Security, NSpyder, etc.
What is interesting to me is that Rapid7, like Sourcefire before them, has deployed an open source acquisition/sponsor strategy to bolster their commercial product line. Speaking to Corey Thomas, their EVP of Operations at Rapid7, he says the company is a big believer in the quality of open source security projects. But the real driving force here was Riancho. Bringing someone of his caliber on board and getting the w3af with him was just too much goodness in one place to pass on. While Rapid7 does not have any other open source targets or plans for acquisitions or sponsorships, they are always on the look out. If you know of one that may be a fit, reach out to him.
You can read more about this sponsorship on the FAQ that Rapid7 set up here. Though there are no firm plans now, I am sure you will see some sort of commercially supported version of w3af available from Rapid 7 in the future. You will also see the w3af framework integrated into their flagship Nexpose product as well as with Metasploit.
When it comes to security, open source continues to lead the way!
- About Open Source Fact and Fiction
As co-founder and Managing Partner at The CISO Group, Alan Shimel is responsible for driving the vision and mission of the company. The CISO Group offers security consulting and PCI compliance management for the payment card industry. Prior to The CISO Group, Alan was the Chief Strategy Officer at StillSecure. Shimel was the public persona of StillSecure as it grew from start up to helping defend some of the largest and most sensitive networks in the world.
Shimel is an often-cited personality in the technology community and is a sought-after speaker at industry and government conferences and events. His commentary about the state of security, open source and life is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com). Alan is now also a regular contributor to The CISO Group’s security.exe blog and podcast.
Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.
Disclosure: The CISO Group sells a software-as-a-service PCI compliance application called SAQPro. The company is independent and does not represent any other vendor's products as a reseller.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited.
Most Discussed Posts
- Blog Roll
-
Network World, Inc
The Connected Enterprise