I just love these folks. Take the best open source pen testing tool you can think of, put it on steroids, give it a user interface that makes it simple and fast to pen test in a production environment without losing the granularity of manual testing if you need it, and you have Core Impact. Well, almost. Every year I say that I am going to find a better tool, and I actually do comb the market – unsuccessfully.
It's not just that Core Security has a very complete script library – everyone has that or, at least, claims to. It's how they implement it. I had an interesting discussion about that with one of my students at the university recently. His position was that he would rather write and use his own tools than use a “canned” tool, such as Core Impact.
He's not alone. There are a lot of engineers who feel that way, until they need to make production deadlines in operational systems. The workloads of most security engineers preclude the use of the types of tools we write for ourselves. There are never-ending challenges for the information security and IT departments in most organizations. Periodic pen testing is just one of them.
What I really like about Core Impact is that it is the tool I would write for myself if I had time. It is that and then some. Moreover, there is a whole team of engineers and researchers at Core developing new test scripts. What does it take to come up with this type of tool? (And, by the way, that includes Core Essentials, its little sister, a fully automated scanner version that does its job with just a few mouse clicks.) It takes solid commitment to one of my primary principles: Don't think outside the box. Rather, refuse to admit that the box exists in the first place.
I've been watching Core since they started up, and they are innovators because innovation is their company personality. It seems a bit strange to say that they are innovators because they are innovators, but that circular argument certainly applies here.
What's in store the next 12 to 18 months at Core? They are doing more with wireless testing, more application testing and working on testing vulnerabilities specific to particular vertical markets.