Initial Metasploit Express Thoughts
On April 22, Rapid7, a leader in vulnerability management and the recent acquirer of Metasploit LLC, announced the release of a commercial Metasploit product labeled “Metasploit Express.” The commercial release of the once totally open source exploit framework signifies both advancement in the legitimacy of exploitataion frameworks and the growing need from within the market place for exploitation assistance solutions. Of course neither of these positive signals will ease the quesy feeling that most Metasploit framework evangelists will have with the release of a commercial offering. Nor is it likely that the release will do much good for the exploitation framework market or have a major impact on the vulnerability management market.
Not much is known about Metasploit Express from a product standpoint as the Beta release (which SecAnalysis writers are signed up for) has not gone live yet. Supposedly Metasploit express is essentially the same product as the well-known open source Metasploit framework with a few basic exceptions. Most notably the commercial offering now has a “full graphical user interface” and is now supported by Rapid7′s customer support staff. In addition Metasploit Express also boasts automated exploits, and exploitation of common insecure configuratoins (notably insecure username and passwords configurations).
From a market perspective there is not a lot of good that comes from the commercial release of Metasploit Express. The exploitation framework market is already relatively small, thus the commercial entrance of a major player like Metasploit makes it even more difficult for companies like the current leaders, CORE Security and Immunity to generate business. Although the business models of the two reigning leaders are strong enough to be resilient against a more saturated market, it is not unlikely that both companies will be forced to reduce some investment into research and/or product improvements. This is particulary unfortunate as both companies have made large strides at creating more effective and enterprise ready products in recent years.
Many will no doubt argue that offering Metasploit commercially will shed some much needed light on the exploitation framework market. That message may be easy to push, however, it is difficult to justify. If anything the entrance of Metasploit into the commercial realm confuses the marekt. Integrations such as the one boasted by CORE IMPACT (which now integrates Metasploit exploits into the IMPACT framework) become a touch more interesting. The licensing model leveraged by the open source Metasploit Framework is currently very flexible, however, what happens if no one is buying Metasploit Express because CORE offers essentially the same thing in their integrated IMPACT product (with several competitive differentiators).? Furthermore, what will happen if Rapid7 determine that they could increase revenue by cutting into CORE’s current market share? How will the Metasploit licensing change? How will CORE cope with the new market competition? These questions will most likely pan out with the natural progression of the market.
Of course the exploitation market impact is less of a concern to Rapid7 when considering the vulnerability management market, where Rapid7 is focused. However, unfortunately, the impact on the vulnerability management market is minimal at best. The vulnerability management market is still primarily predicated on compliance and not on security. Thus, the addition of an easy to use penetration testing capability does little to make Rapid7′s current offerings anymore attractive. Furthermore, Metasploit Express does little to differentiate Rapid7 from vulnerability management market competitors. Especially when considering the fact that most of the market players already have integrations with penetration testing tools. In addition, there is little that a commercial Metasploit version adds in terms of marketability of the Rapid7 name. The acquisition of Metasploit may have granted Rapid7 some much needed publicity, however, the commercial release of a Metasploit version does little to that end. If anything the commercial release raises questions about Rapid7′s intent, which is not necessarily positive publicity.
There is one major positive for Rapid7 however, and it comes from the perspective of investors. Over the past few years Rapid7 has shown growth through innovation and business tactics. Adding a commercial capability for the Metasploit Framework will show investors the potential for further growth in revenue with minimal investment (as much of the necessary development has already been done by the community for Metasploit Express). Thus, it is not unlikely that Rapid7 will be able to capitalize on investor interest in their company to create further growth (if Rapid7 is interested of course).
The new features boasted in Metasploit Express all seem relevant although it is unclear what is not “full” about the current Graphical User Interface (GUI) leveraged by the open source Metasploit framework. Also automation largely already exists in the? the autopawn capabilities boasted by the open source Metasploit Framework.? This raises the question, what is really the difference?
It would seem as though the development is more focused on ease of use than anything. However, shouldn’t this have been the focus of the open source version as well? It is the opinion of SecAnalysis that “ease of use” as a competitive differentiator between a commercial offering and a open source solution is rarely a good thing. In such a scenario the vendor benefits from the open source project being clunky, broken, and unusable.? Many may argue that this will not be the case with the Metasploit Framework, however, this does raise the question, “If Metasploit express advancements are making the Metasploit Framework capabilities easier to use, where is the incentive for the open source project to move in the same direction?”
HD Moore and team are well over due for getting paid for the excellent work they have done on the open source Metasploit Framework. They represent one of the most influential and yet humble and easy to work with teams within the security industry. There is no question that any profit HD and team gain is well earned. Where there are questions are within the realm of the purpose of releasing a commercial Metasploit offering. Visionaries and pioneers within the security, especially in the realm of exploitation frameworks, people like HD Moore as well as David and Justine Aitel (of Immunity) have earned their place amongst the leaders in the security industry. Up until this point there has been a relative balance between all of the much needed market players in exploitation frameworks. This is largely due to the vision that HD Moore had for his Metasploit Framework. As the exploitation framework market continues to evolve, one can only hope that HD Moore has found the components to realize his vision and Rapid7 is not defining (if not destroying) that vision to push their business agenda…