Making Sense of Rapid7's Metasploit Acquisition

The information security community may benefit from it, experts say, but much depends on how Rapid7 handles its new property

News of Rapid7's Metasploit acquisition hit some in the information security community like a clap of thunder. The Metasploit Project has a deep, loyal user base, and it's always unsettling to those who rely on open-source tools when those tools are snatched up by a commercial vendor.

But in the hours after Wednesday morning's announcement, cautious optimism began to take hold. Some IT security practitioners started to see the potential benefits of a Rapid7-Metasploit union -- providing the vendor handles its new property and user base with great care.

"They certainly have acquired an exceptional back-end research capability," said Pete Hillier, CISO at CMA Holdings in Ottawa. "The question is if they can ensure the continuity once the acquisition is complete?"

Some are skeptical of that, including Richmond, Va.-based IT security practitioner Rick Lawhorn, who quipped in an e-mail: "The road to hell is paved with good intentions. Unfortunately, the ones who will be happy are the bad guys; with a potentially-reduced focus on making things secure and greater focus on profitability."

Rapid7, a vendor of unified vulnerability management, compliance and penetration testing tools, said it will use Metasploit to enhance its NeXpose product. It also promised to "sponsor dedicated resources and contributions to the standalone, community-driven Metasploit Project to further its growth and success."

"Metasploit and Rapid7 NeXpose are uniquely positioned to improve upon the industry-leading capabilities of both products and to raise the bar on the industry at large," Mike Tuchen, president and CEO of Rapid7, said in a press release. "With our broader solution portfolio, we are the first security provider to meet the demand of enterprises and government agencies in enabling them to identify and mitigate exploitable threats in their IT environment based on their security risk profile."

The vendor said Metasploit Project founder HD Moore will become Rapid7's chief security officer and will remain Metasploit`s chief architect. For his part, Moore predicts big dividends for his user base.

"This acquisition provides dedicated resources to the project, accelerating our growth and allowing us to provide even better solutions to the community," he said in the Rapid7 press release. "Rapid7 recognizes the value of the community and is passionate about the success of the project."

Nick Selby, a faculty member of the Institute for Applied Network Security (IANS) and managing director of Trident Risk Management, is among those expressing optimism. "The best thing about the acquisition is that enterprise customers now have three legitimate, sue-able and responsible organizations proffering tools for penetration testing," he wrote Wednesday in the IANS blog. "Quality will likely rise, average price will likely fall, and functionality will likely increase. This is a good time to be in the market for pen-test software."

See also: Why Pen Testing is Central to Pennsylvania's App Security

Selby wrote that the dynamics of the pen-testing market have been that Core Security sat atop the marketplace in terms of price, scale and enterprise usability while Immunity Security "cleaned up at the lower end of the enterprise market" and dominated for vendors and professional services types who also used Metasploit as a free tool. The Rapid7-Metasploit union will likely shake up that dynamic, to the benefit of buyers and end users, he added.

Boston-based IT security practitioner Zach Lanier said the acquisition is "phenomenal" news for Moore, Egypt (a Metasploit developer, now joining the project/Rapid7 full time), and Rapid7 as a whole. "Naturally, this acquisition will give Metasploit access to more resources, including more full-time team members; Rapid7's knowledge base; and technology and tools," he said. "This will also bring more visibility to Rapid7's vulnerability scanner, NeXpose, given the complementary nature of the Metasploit Framework."

Though he's reluctant to simply accept that there will be little-to-no change in the Metasploit Framework's licensing and open source nature, Lanier said he's "pretty confident" Moore and others "will adamantly defend such important principles."

Gadi Evron, a security strategist based in Israel, said the acquisition at least goes to show that not-for-profit work can exist in today's market and be competitive enough to draw commercial interest. Asked if he believes Rapid 7 will handle its new acquisition in a way that will benefit users or, at the least, do no harm, Evron said, "One would hope they would, just as one would hope HD made sure they would."

This story, "Making Sense of Rapid7's Metasploit Acquisition" was originally published by CSO.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT