News

Making Sense of Rapid7's Metasploit Acquisition

The information security community stands to benefit from Rapid7's acquisition of Metasploit, IT security experts say. But much depends on how Rapid7 handles its new property.

By Bill Brenner, Senior Editor

October 21, 2009 — CSO —

News of Rapid7's Metasploit acquisition hit some in the information security community like a clap of thunder. The Metasploit Project has a deep, loyal user base, and it's always unsettling to those who rely on open-source tools when those tools are snatched up by a commercial vendor.

But in the hours after Wednesday morning's announcement, cautious optimism began to take hold. Some IT security practitioners started to see the potential benefits of a Rapid7-Metasploit union -- providing the vendor handles its new property and user base with great care.

"They certainly have acquired an exceptional back-end research capability," said Pete Hillier, CISO at CMA Holdings in Ottawa. "The question is if they can ensure the continuity once the acquisition is complete?"

Some are skeptical of that, including Richmond, Va.-based IT security practitioner Rick Lawhorn, who quipped in an e-mail: "The road to hell is paved with good intentions. Unfortunately, the ones who will be happy are the bad guys; with a potentially-reduced focus on making things secure and greater focus on profitability."

Rapid7, a vendor of unified vulnerability management, compliance and penetration testing tools, said it will use Metasploit to enhance its NeXpose product. It also promised to "sponsor dedicated resources and contributions to the standalone, community-driven Metasploit Project to further its growth and success."

"Metasploit and Rapid7 NeXpose are uniquely positioned to improve upon the industry-leading capabilities of both products and to raise the bar on the industry at large," Mike Tuchen, president and CEO of Rapid7, said in a press release. "With our broader solution portfolio, we are the first security provider to meet the demand of enterprises and government agencies in enabling them to identify and mitigate exploitable threats in their IT environment based on their security risk profile."

The vendor said Metasploit Project founder HD Moore will become Rapid7's chief security officer and will remain Metasploit`s chief architect. For his part, Moore predicts big dividends for his user base.

"This acquisition provides dedicated resources to the project, accelerating our growth and allowing us to provide even better solutions to the community," he said in the Rapid7 press release. "Rapid7 recognizes the value of the community and is passionate about the success of the project."

Nick Selby, a faculty member of the Institute for Applied Network Security (IANS) and managing director of Trident Risk Management, is among those expressing optimism. "The best thing about the acquisition is that enterprise customers now have three legitimate, sue-able and responsible organizations proffering tools for penetration testing," he wrote Wednesday in the IANS blog. "Quality will likely rise, average price will likely fall, and functionality will likely increase. This is a good time to be in the market for pen-test software."