Metasploit's HD Moore from (almost) rags to (not quite) riches

Metasploit might become an example of how a fully FOSS project grows up to turn a profit.

Last week, I got on the phone with HD Moore to ask him how things have been going since he sold Metasploit to Rapid7, sending the open source security world into a frenzy some six months ago. Rapid7 had just released the commercial version, dubbed Metasploit Express, of Moore's much beloved open source penetration testing tool.

(Also see: 12 "White Hat" hackers you should know)

HD Moore
I found Moore (pictured) to be as hyped as ever (he talks very fast!) over the FOSS project, even as he discussed the new commercial version.

First off, I couldn't help wondering if the sale had been motivated mostly by financial concerns ... was he rich now? Living in a big house? While he didn't exactly share his net worth with me, he explained that after working for a start-up, BreakingPoint Systems, for four years, he was more concerned with making a career change than in getting a big payout. He is still living in the same house.

In fact, he said his daily routine "is not not that different for me personally. [Metasploit] is a never-ending pit of time. I can always improve it, always make it better," he quips. Well, not precisely the same. Rapid7 had the good sense to add Moore to its internal IT team, working on security, in addition to having him talk with Rapid7 partners, and doing "general engineering stuff." he says. Hence his title, Chief Security Officer and Chief Architect at The Metasploit Project.

Metasploit has benefited, Moore says, because it is now the focus of six full-time, paid employees. Rapid7 tried to hire two of the project's main developers, but only scored one. It was also able to hire two of the project's part-time contributors.

At the time of the sale, he promised the Metasploit community that they would NOT see a slow demise of the tool under Rapid7's care. The general perception is that Rapid7, which offers a proprietary vulnerability management tool, NeXpose, may be pulling an "Oracle" ... buying a FOSS project for nefarious reasons, mostly involving making the tool go away. (Moore however, says NeXpose doesn't do pen testing and therefore doesn't compete with Metasploit. It competes with Qualys, nCircle, and Tenable.)

Some in the industry also thought that Rapid7 held no love for open source. Moore says that's a mischaracterization. He points out that many of Rapid7 founders and original engineers do contribute to open source and have been involved in some high-profile projects. Chad Loder, for example, worked on the IPsec stack for OpenBSD.

But he's also got a point when he says, "The challenge for open source is that, while it's a fun hobby, how can we make it profitable -- a real business? We can operate an open source project, but how can we make it sustainable?"

That's my curiosity. Metasploit might become one of the first examples of how a completely FOSS project grows up to be successful. It is the venture capital model without the start-up money (though VCs are funding plenty of OS start-ups these days, too). Build it. They will come. Someone will buy it. And if you want them to stay, the FOSS project better remain as well supported as the eventual commercial version.

This isn't the first open source project to have been bought by a big guy. And the jury is still out on most of them. I could argue that Metasploit is a bit unique in that it didn't have a commercial arm when Rapid7 acquired it. That could not be said about SUSE or mySQL or even Gluecode (bought by IBM), etc. (Then again, I admittedly haven't done the research to know how many acquired FOSS projects had no commercial version, and were not venture funded. If you know of others, let me know and I'll write about them, too.)

And there are concerns when a select few are in a position to profit from the collective work of many volunteers who think they are working on a solely not-for-profit project. That's why Metasploit is a case study.

What Rapid7 is selling is management and ease of use. For the developers that still want to go elbow deep, Moore notes that the free version is not only available, it has been well maintained. "The 3.3.0 release, 3.3.3, 3.3.1, all those releases were under Rapid7. We haven't changed the licensing, registration, or delayed access to exploits -- we've added 100K lines of code to the project," he says."When talking to the user base, I've found there are two types of users. Those that like to get their hands dirty, writing scripts, make modules. Nothing commercial would make them happy. If we continue adding features, but not [turn Metasploit] into a real product, they would be happy."

The second type is one that, for a variety of reasons, would like to make Metasploit easier to use and is willing to pay for that. They might be IT folks who are too busy to spend time customizing their penetration testing tool; they might lack the development know-how; they might be security researchers or others in charge of testing tens of thousands of machines that "simply don’t have the time to run tools by hand."

There's reason to believe Moore when he says the FOSS product will remain a high priority for Rapid7. Metasploit has a reputation of being a favorite for the bad guys, too, since it is known to add exploit code quickly. While some have argued that its sale should be restricted to those who can somehow prove they are legitimate business people, Moore notes that this doesn't really work. It makes it too difficult for those who really need the pen testing to get it, including students, researchers and small start-ups building the Next Big Thing.

Moore's philosophy is that restricting the inclusion of new exploits only helps the bad guys. "We’re always chasing the bad guys -- the good guys are never ahead. We’re not the ones who wrote these exploits. They are often found in the wild and the defenders are generally following the black hats."

So Metasploit will only inspire loyalty if exploits continue to be added quickly.

Do you expect the commitment to the FOSS project to continue now that Express has entered the market?

Please visit the Open Source Subnet home page for more news, blogs and podcasts.

Subscribe to all Open Source Subnet bloggers

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.