Testing for Trouble
In the first two months of 2010 alone, 1,223 new vulnerabilities were added to the Open Source Vulnerability Database, a project designed to gather reports about security issues in all types of software. It’s not unusual, then, for a company that relies on software to have thousands of vulnerabilities spread across various systems.
But there’s a difference between a vulnerability and a real risk, says Corey Thomas, executive vice president of the Boston-based computer security firm Rapid7. If it’s difficult for an attacker to exploit a vulnerability, Thomas says, then it doesn’t amount to much of a threat.
Last year, Rapid7 acquired Metasploit, an open-source framework that tests systems for security holes, thus helping organizations separate threats from mere vulnerabilities. Metasploit’s researchers and members of the open-source community use various strategies to stay on top of the vulnerabilities that attackers actually use, including watching news reports and monitoring systems designed to trap malware. The researchers can then create modules to see how systems would respond to an attack. Metasploit modules work the same way malicious software would, except that the user controls what the software does to the system after a breach is found. This lets users identify where they’re at risk without suffering any damage.
Rapid7 maintains Metasploit as an entirely free, open-source project. It makes money by selling products that build on Metasploit or offering businesses additional services. But the very openness and easy availability of Metasploit modules suggest another problem. Rapid7 feared that acquiring Metasploit would cause a backlash from customers worried that the tool might help attackers. Thomas’s argument is simple: “Do you want the information and knowledge to be accessible to you, or do you want it to be hidden and used by only the people who are malicious?”
Rapid7’s first product based on Metasploit streamlines the testing process and makes it easier for nontechnical users to check their systems. Now the company will focus on creating more products to help customers identify the problems in their systems and fix them efficiently.
Keep Reading
Most Popular
Large language models can do jaw-dropping things. But nobody knows exactly why.
And that's a problem. Figuring it out is one of the biggest scientific puzzles of our time and a crucial step towards controlling more powerful future models.
The problem with plug-in hybrids? Their drivers.
Plug-in hybrids are often sold as a transition to EVs, but new data from Europe shows we’re still underestimating the emissions they produce.
Google DeepMind’s new generative model makes Super Mario–like games from scratch
Genie learns how to control games by watching hours and hours of video. It could help train next-gen robots too.
How scientists traced a mysterious covid case back to six toilets
When wastewater surveillance turns into a hunt for a single infected individual, the ethics get tricky.
Stay connected
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.