The open source Metasploit framework is often the place where security vulnerabilities become usable enabling security researchers to test out exploits and fix flaws. Until recently, Metasploit was typically used only as a standalone community project, but that's no longer the case.
Metasploit is now owned by security firm Rapid7, the company that also integrates Metasploit into their testing tools. This week, security testing firm Core Security announced that they would be integrating support for Metasploit into their Core IMPACT Pro application. Evaluating the impact of the enterprise tool integration of Metasploit depends on a number of factors. It's also not clear whether or not the open source community aspect of Metasploit will enjoy any benefits as a result either.
"Metasploit itself won't provide anything that our customers didn't have access to before as the framework itself was always available to them," Fred Pinkett, vice president of product management at Core Security, told InternetNews.com. "But, the important thing is that what it will provide, as a result of the integration, increased ease-of-use for our customers who want to use the two products side-by-side through the IMPACT Pro interface."
Pinkett further clarified that Core Security is building an integration with Metasploit and not building it "into" their product, so there won't be any use of Metasploit code within IMPACT Pro at all. Core Security is also not providing any indemnification or insurance to anyone using Metasploit. Pinkett reiterated that it is the user's choice to use the Metasploit framework and any of the code it contains is their own and Core Security cannot account for that.
"We're not building Metasploit into IMPACT Pro," Pinkett said. "We're simply building an integration that allows our customers who want to use the two systems in a coordinated fashion to do so."
No requirement to contribute back to Metasploit project
Core Security is also not contributing to the open source Metasploit project either.
"Rapid7 and Core Security have no formal relationship, nor do Core Security employees contribute to the Metasploit Project," H.D. Moore, Rapid7 CSO and Metasploit Chief Architect told InternetNews.com.
That said, Pinkett noted that his company is open to new relationships and many people from Core have known and respected H.D. Moore and his work for many years, and it's always been a positive relationship.
"If it turns out that the interfaces that we're building require hooks we'll certainly contribute those, but we don't have any immediate plans to make contributions beyond the integrations that we've already announced," Pinkett said.
The way that Core Security will be leveraging Metasploit is well within the bounds of the open source license under which the framework is distributed.
"The Metasploit Framework is provided under a BSD license and has few restrictions in terms of redistribution or attribution," Moore said. "Rapid7 does own the Metasploit trademark, but so long as Core respects that, there should be no significant barriers to them using the code. Most of the development we do goes directly into the main Metasploit source tree, so Core would have access to the same features as any other member of the public."
Looking at the broader market, it is in some ways beneficial for the Metasploit project and for Rapid7 to have broader third-party commercial integration like the one from Core Security.
"Integration cuts both ways; by extending Core to support Metasploit, there is an implicit endorsement by Core of the Metasploit product," Moore said. "We think Metasploit is awesome and we are happy that their customers think so too, but this must be bittersweet for developers of the Core Impact product."
Moore added that Rapid7 faces a similar issue in that not all Metasploit users are also users of Rapid7's NeXpose vulnerability testing application. He explained that the Metasploit project has added support for competing vulnerability management products to the Metasploit Framework, as it is in the project's interest to make users happy, even if there is a potential conflict.
"With that said, we invite integration from any product vendor; at the end of the day, interoperability helps the industry and provides new capabilities to our users," Moore said. "We plan to continue integrating with third-party products, as both a consumer and producer of security data."