In the first two months of 2010 alone, 1,223 new vulnerabilities were added to the Open Source Vulnerability Database, a project designed to gather reports about security issues in all types of software. It’s not unusual, then, for a company that relies on software to have thousands of vulnerabilities spread across various systems.
But there’s a difference between a vulnerability and a real risk, says Corey Thomas, executive vice president of the Boston-based computer security firm Rapid7. If it’s difficult for an attacker to exploit a vulnerability, Thomas says, then it doesn’t amount to much of a threat.
Last year, Rapid7 acquired Metasploit, an open-source framework that tests systems for security holes, thus helping organizations separate threats from mere vulnerabilities. Metasploit’s researchers and members of the open-source community use various strategies to stay on top of the vulnerabilities that attackers actually use, including watching news reports and monitoring systems designed to trap malware. The researchers can then create modules to see how systems would respond to an attack. Metasploit modules work the same way malicious software would, except that the user controls what the software does to the system after a breach is found. This lets users identify where they’re at risk without suffering any damage.
Rapid7 maintains Metasploit as an entirely free, open-source project. It makes money by selling products that build on Metasploit or offering businesses additional services. But the very openness and easy availability of Metasploit modules suggest another problem. Rapid7 feared that acquiring Metasploit would cause a backlash from customers worried that the tool might help attackers. Thomas’s argument is simple: “Do you want the information and knowledge to be accessible to you, or do you want it to be hidden and used by only the people who are malicious?”
Rapid7’s first product based on Metasploit streamlines the testing process and makes it easier for nontechnical users to check their systems. Now the company will focus on creating more products to help customers identify the problems in their systems and fix them efficiently.
A quick guide to the most important AI law you’ve never heard of
The European Union is planning new legislation aimed at curbing the worst harms associated with artificial intelligence.
It will soon be easy for self-driving cars to hide in plain sight. We shouldn’t let them.
If they ever hit our roads for real, other drivers need to know exactly what they are.
This is the first image of the black hole at the center of our galaxy
The stunning image was made possible by linking eight existing radio observatories across the globe.
The gene-edited pig heart given to a dying patient was infected with a pig virus
The first transplant of a genetically-modified pig heart into a human may have ended prematurely because of a well-known—and avoidable—risk.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.