For many IT pros, the free, open source Metasploit Framework was once thought of as just a community project unsuitable for serious enterprise security testing. Now, Metasploit's new patron, security vendor Rapid7, is working to make sure that's no longer the case.
Since acquiring Metasploit at the end of October, Rapid7 has been busily integrating the framework with its commercial NeXpose suite of vulnerability scanning and assessment tools.
The result: Rapid7's flagship NeXpose Enterprise Edition 4.8 suite can now borrow from a number of key Metasploit capabilities. The new integration comes by way of Metasploit's update to version 3.3.1, which offers a new Metasploit Console plug-in that exposes new commands to the user.
In addition to the launch of Metasploit 3.3.1, Rapid7 is also expanding its NeXpose offerings, adding a new onramp for single-user setups--the NeXpose Community Edition.
That may boost NeXpose's appeal to some of the current users of products like Metasploit. NeXpose is a closed-source product, and while the single-user NeXpose Community Edition is as well, it's freely available, like the open source Metasploit.
With the integration of Metasploit and the new community release, Rapid7 is aiming to expand its share of the market for security vulnerability scanning and assessment tools.
Metasploit in particular adds to the mix a popular, proven framework for security testing. The project has often been the place where publicly disclosed vulnerabilities are first implemented as working exploits that researchers can test.
"This integration provides an easy way to correlate vulnerabilities discovered with NeXpose with exploits provided by Metasploit," said H D Moore, Metasploit's chief architect and Rapid7's chief security officer. "What makes this solution different from the existing products is that while other products support simple, manual import of third-party vulnerability data, Metasploit now has the ability to run the scans using an existing NeXpose installation, load the results, and automatically launch the relevant exploit modules."
Metasploit integration and next steps
Moore said the NeXpose-Metasploit integration is meant to be a convenient tool for penetration testers who already have experience with Metasploit.
"NeXpose provides a more intuitive Web-based user interface for performing vulnerability assessments and managing risk," Moore said. "The Metasploit integration uses the existing Metasploit console and provides the ability to run a scan and use the relevant information from scan results to launch Metasploit modules."
Metasploit 3.3.1 is an incremental release following last month's debut of version 3.3.
Moore said that the new integration of NeXpose and Metasploit marks just the first step toward more fully linking the two. Specifically, he said Rapid7 aims to leverage vulnerability data in Metasploit and exploit data in NeXpose.
"We are collecting feedback from the community on the current implementation and plan to continue adding features that will bring both products closer together, based on suggestions from the community, customers, and our current roadmap," Moore said. NeXpose Community Edition
Meanwhile, Rapid7 is also expecting its free, new NeXpose Community Edition offering to begin attracting fans among users.
Corey Thomas, vice president of products and operations at Rapid7, explained that the Community Edition is a single-user vulnerability management product targeted at performing security tests for small networks and critical infrastructure assets with up to 32 IPs.
He added that Rapid7's core paid offering, NeXpose Enterprise Edition, is typically used by larger organizations with multiple users and larger networks that need additional features, such as compliance scanning and advanced reporting.
While NeXpose is not open source, Thomas added that open source is a great way to build software in conjunction with a community.
"There is no real need to make NeXpose open source or change its development model, but we are looking into ways to allow community development plug-ins to be integrated in the future," Thomas said.
Sean Michael Kerner is a senior editor at InternetNews.com.