In the first two months of 2010 alone, 1,223 new vulnerabilities were added to the Open Source Vulnerability Database, a project designed to gather reports about security issues in all types of software. It’s not unusual, then, for a company that relies on software to have thousands of vulnerabilities spread across various systems.
But there’s a difference between a vulnerability and a real risk, says Corey Thomas, executive vice president of the Boston-based computer security firm Rapid7. If it’s difficult for an attacker to exploit a vulnerability, Thomas says, then it doesn’t amount to much of a threat.
Last year, Rapid7 acquired Metasploit, an open-source framework that tests systems for security holes, thus helping organizations separate threats from mere vulnerabilities. Metasploit’s researchers and members of the open-source community use various strategies to stay on top of the vulnerabilities that attackers actually use, including watching news reports and monitoring systems designed to trap malware. The researchers can then create modules to see how systems would respond to an attack. Metasploit modules work the same way malicious software would, except that the user controls what the software does to the system after a breach is found. This lets users identify where they’re at risk without suffering any damage.
Rapid7 maintains Metasploit as an entirely free, open-source project. It makes money by selling products that build on Metasploit or offering businesses additional services. But the very openness and easy availability of Metasploit modules suggest another problem. Rapid7 feared that acquiring Metasploit would cause a backlash from customers worried that the tool might help attackers. Thomas’s argument is simple: “Do you want the information and knowledge to be accessible to you, or do you want it to be hidden and used by only the people who are malicious?”
Rapid7’s first product based on Metasploit streamlines the testing process and makes it easier for nontechnical users to check their systems. Now the company will focus on creating more products to help customers identify the problems in their systems and fix them efficiently.
This startup wants to copy you into an embryo for organ harvesting
With plans to create realistic synthetic embryos, grown in jars, Renewal Bio is on a journey to the horizon of science and ethics.
VR is as good as psychedelics at helping people reach transcendence
On key metrics, a VR experience elicited a response indistinguishable from subjects who took medium doses of LSD or magic mushrooms.
This artist is dominating AI-generated art. And he’s not happy about it.
Greg Rutkowski is a more popular prompt than Picasso.
This nanoparticle could be the key to a universal covid vaccine
Ending the covid pandemic might well require a vaccine that protects against any new strains. Researchers may have found a strategy that will work.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.