Metasploit, the organization behind the Metasploit Project, a popular open-source tool for exploit research, has been acquired by vulnerability management provider Rapid7.
Under the terms of the deal, announced Wednesday, Metasploit will continue as an open-source project, freely licensed to noncommercial users.Metasploit founder HD Moore will become the chief security officer at Rapid7 and remain as Metasploit`s chief architect.
“From a user's perspective, Metasploit will still be free,” Moore wrote on the Metasploit blog. “All of the important bits are going to remain open source, a point that was very important to me, since its open nature is what drew me to Metasploit in the first place and what, I believe, attracts many of its users and contributors.”
The Metasploit technology is an aid to people who do penetration testing, intrusion detection system signature development and exploit research. According to Rapid7, it will roll Metasploit into its NeXpose product, which scans networks, applications, databases and operating systems, among other IT elements, for vulnerabilities. The solution typically is used to assess security risks and even recommend remediation approaches.
“We will leverage Metasploit technology to enhance our vulnerability management solution, Rapid7 NeXpose,” said Mike Tuchen, president and CEO at Rapid7, in the acquisition announcement. “At the same time, we will not only maintain but accelerate the open-source framework Metasploit with dedicated resources and contributions.”
What does the acquisition mean to the vulnerability management industry segment? The competition is unlikely to diminish.
“If I was to put myself in Rapid7's shoes, I would say that they would have to compete big time against Core Impact [a competing vulnerability management vendor],” Philippe Courtot, CEO of vulnerability management company Qualys, told SCMagazineUS.com Wednesday. “But more important, I would say that when you are a proprietary software company, moving into open source is a little bit tricky. They typically involve very different goals and have very different kinds of individuals involved.”
The acquisition may or may not constitute an advantage for Rapid7, one competitor said.
“If they're planning to add capabilities to their scanning technology to be able to compete more aggressively with other leading companies in vulnerability management, it opens another option,” Ivan Arce, CTO of Core Security, told SCMagazineUS.com Wednesday. “We'll see what happens in the coming months.”
But other security experts see the combination as sanguine.
Joel Esler, a handler the SANS Internet Storm Center, predicted Wednesday on the organization's blog that additional funding from a private company will enable Metasploit to produce stronger exploit tools.
“Anytime there can be commercial funding and backing put behind an open-source program in order to further its development, I consider it a good thing,” he said.