In the first two months of 2010 alone, 1,223 new vulnerabilities were added to the Open Source Vulnerability Database, a project designed to gather reports about security issues in all types of software. It’s not unusual, then, for a company that relies on software to have thousands of vulnerabilities spread across various systems.
But there’s a difference between a vulnerability and a real risk, says Corey Thomas, executive vice president of the Boston-based computer security firm Rapid7. If it’s difficult for an attacker to exploit a vulnerability, Thomas says, then it doesn’t amount to much of a threat.
Last year, Rapid7 acquired Metasploit, an open-source framework that tests systems for security holes, thus helping organizations separate threats from mere vulnerabilities. Metasploit’s researchers and members of the open-source community use various strategies to stay on top of the vulnerabilities that attackers actually use, including watching news reports and monitoring systems designed to trap malware. The researchers can then create modules to see how systems would respond to an attack. Metasploit modules work the same way malicious software would, except that the user controls what the software does to the system after a breach is found. This lets users identify where they’re at risk without suffering any damage.
Rapid7 maintains Metasploit as an entirely free, open-source project. It makes money by selling products that build on Metasploit or offering businesses additional services. But the very openness and easy availability of Metasploit modules suggest another problem. Rapid7 feared that acquiring Metasploit would cause a backlash from customers worried that the tool might help attackers. Thomas’s argument is simple: “Do you want the information and knowledge to be accessible to you, or do you want it to be hidden and used by only the people who are malicious?”
Rapid7’s first product based on Metasploit streamlines the testing process and makes it easier for nontechnical users to check their systems. Now the company will focus on creating more products to help customers identify the problems in their systems and fix them efficiently.
How AI is reinventing what computers are
Three key ways artificial intelligence is changing what it means to compute.
These weird virtual creatures evolve their bodies to solve problems
They show how intelligence and body plans are closely linked—and could unlock AI for robots.
We reviewed three at-home covid tests. The results were mixed.
Over-the-counter coronavirus tests are finally available in the US. Some are more accurate and easier to use than others.
A horrifying new AI app swaps women into porn videos with a click
Deepfake researchers have long feared the day this would arrive.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.