First up a quick Troll shoot.
- The license for Metasploit stays BSD.
- Metasploit continues to be a community driven project.
- When an Open Source project gets commercial backing the developers on that project don’t need day jobs anymore. They also get resources, tools, and budgets. This in my opinion means a lot of new code for this project in a short period of time. I saw exactly this when I started with Sourcefire almost 7 years ago, no more small releases just big old feature releases.
- Faster exploit development. If you have resources and people you can quickly setup development environments, test things, reverse things, and build Metasploit modules. I’m guessing the number of exploits in Metasploit will quickly eclipse CORE and Immunity within a 6-month timeframe. I’m guessing this will follow the same course as with the Sourcefire VRT; go from 3k rules to 5k rules overnight.
- Stability and Reliability. If you buy something you want it to work and if you’ve got resources your Open Source users expect a higher quality product. I’d assume they are going to hit this area first.
On the Vulnerability Management side, I think this changes the game for guys like nCircle and Tenable as Rapid7’s NeXpose™ product will be the only Vulnerability Management tool that can actually prove what it is reporting. It also gives Rapid7 the interesting advantage of being able to live test mitigation strategies and defenses. This is something that other vulnerability management solutions can’t do out of the box. That said it is going to be interesting to see how this integration takes place, and how many people are willing to click the “exploit host” button if that is how it is done.
Outside all that, I always loving seeing Open Source products make it into the commercial game as it continues to show the value of Open Source in the enterprise, and that just because software is free doesn’t mean it’s not worth more than the sum of all its license text.
May I add to your Troll Shoot:
ReplyDeleteFor those not happy that the development for or submission of your ideas / exploits to the Metasploit project now that those submissions will also go to Rapid 7 are seriously underestimating the fact those all those companies were pulling that information already.
It is quite possible that, given the use of the BSD license, other Vulnerability Assessment companies will integrate Metasploit as well. Personally I hope this is the case as it would encourage the additional support for the framework.
ReplyDeleteto tsellers
ReplyDeleteIn my opinion I've never seen a company successfully take an open source project as large and specialized as something like metasploit and integrate it successfully without the full support of the original community and authors.
But we shall see.
> Matthew Watchinski
ReplyDeleteThat is half the point, they _want_ the community support. They obviously already have the main authors.
So, all should be good.