Security Center

Center of Excellence

W3af Sponsorship and Andrés Riancho FAQ

What are you announcing on July 28, 2010?
Is Rapid7 acquiring w3af?
Why are you partnering with w3af?
Why did Andrés Riancho join Rapid7? What is his role?
Is the Director of Web Security a new position for Rapid7? Who held it before or why was it created?
How will the new COE for Web Security impact Rapid7’s position in the market?
How will Rapid7 leverage the Web application skill set that w3af has? How will this impact Rapid7 customers?
How will this impact w3af?
Will Andrés still be involved with w3af? What will be his role with the Framework?
Is Rapid7 contributing to the w3af Framework?
Can Rapid7 competitors contribute to w3af?
Will Andrés join the Rapid7 staff at the Company headquarters in Boston?
How is this different than Rapid7’s acquisition of Metasploit?
Why is Rapid7 interested in supporting open source projects like Metasploit and w3af?
How will this impact Bonsai?
Will Rapid7 commercialize any of the w3af technology?

What are you announcing on July 28, 2010?

On July 28, Rapid7 is launching its worldwide Center of Excellence (COE) for Web Security. As part of this initiative, Rapid7 continues to expand its collaboration with the open source community, announcing its sponsorship of and partnership with the Web application security project w3af. With the partnership of w3af and outreach to other key industry players, Rapid7 continues its commitment to extend its recognized leadership position for application level vulnerability management (see recent Forrester’s recent Wave for vulnerability management) to become the leading solution for securing Web and application infrastructure.

Is Rapid7 acquiring w3af?

No.

Why are you partnering with w3af?

Rapid7 believes that partnering with the open source community can harness the power of the broader security community to create stronger commercial offerings while at the same time contributing back to the open source community. Rapid7’s collaboration with the Metasploit penetration testing framework has demonstrated how well such a partnership can work, with acceleration of the open source Metasploit framework, the creation of a strong and affordable commercial Metasploit offering, and arguably, revitalization of competitors’ commercial efforts in response to these changes.

w3af has a compelling value proposition and similar reputation in the community, in this case for its open source Web application security technology. w3af’s founder Andres Riancho will join Rapid7 as an employee and will play a significant role in the cross pollination between the open source Web application security community and Rapid7’s commercial Web security offerings.

Why did Andrés Riancho join Rapid7? What is his role?

There was mutual interest on both sides to work closely together. Rapid7 recognized Andres’ talent as one of the world’s leading experts for Web application security and w3af has established itself as one of the key open source security projects with great underlying technology.

Andres was impressed by Rapid7’s track record as one of the fastest growing security companies worldwide, its clear vision and relentless focus on solving real security issues, and finally its unwavering commitment and support for the broader security community. The accelerated growth of the Metasploit project since Rapid7’s acquisition in October 2009 was tangible evidence of the benefits that can be achieved when commercial vendors and community projects come together effectively.

As part of the collaboration between Rapid7 and w3af, Andres Riancho will be joining Rapid7 as Director of Web Security, spearheading Rapid7’s global COE for Web Security. In his role, Andres will accelerate the development of Web application security technology for the w3af open source project as well as for Rapid7’s commercial offerings.

Is the Director of Web Security a new position for Rapid7? Who held it before or why was it created?

Rapid7’s involvement in Web application security is not new. In fact, Rapid7’s vision from its inception in 2000 was to create broad best security practices for organizations securing the IT infrastructure across their networks, operating systems, databases and Web applications, culminating in the launch of the world’s first unified vulnerability management solution Nexpose in 2004. The development of Rapid7’s Web security technology has been spearheaded by founders Tas Giakouminakis, Rapid7’s CTO, and Chad Loder, Rapid7’s Vice President of Engineering. Others have followed, with Web application scanning now considered a must-have for Vulnerability Management vendors to remain relevant.

The newly created position of Director of Web Security will provide additional focus for the global Web security COE within Rapid7 and is an attestation to the company’s commitment to technical leadership in one of the most critical elements in securing IT infrastructures.

How will the new COE for Web Security impact Rapid7’s position in the market?

Rapid7 believes that our position in the Web Application Security market will continue its growth considerably as we further improve Nexpose's Web Application Security Scanner and release new products based on w3af.

How will Rapid7 leverage the Web application skill set that w3af has? How will this impact Rapid7 customers?

W3af’s skillset for Web application security will be highly beneficial in enhancing Rapid7’s commercial offerings. Rapid7 customers will see dramatic improvements in Nexpose's Web Application Security Scanning performance, further enhancements in scan accuracy, broader scope of vulnerabilities detected and enhanced support for client side technologies that are widely used. Already considered best-in-class among Vulnerability Management solutions, the addition of the skills, knowledge, and abilities from w3af will further widen the gap between Rapid7 technologies and the rest of the pack. As with the Metasploit collaboration, the addition of this skill set raises the bar for competitors to deliver more value to their customers or lag behind in their capabilities. World-class security research is a highly specialized skill and Rapid7 now has 3 centers of research excellence working together to provide proactive threat management to our customers and community user base.

How will this impact w3af?

As with the Metasploit collaboration, the impact is entirely positive, as the w3af project will now have full time developers working to improve the framework's features and stability. W3af's license and copyrights remain the same and Andres will have more time to spend designing the heuristics and algorithms required to maintain the framework as a world class Web Application Security solution.

Rapid7 is currently hiring developers with Python skills and an aptitude for Web application security. Interested candidates should contact Andres at Andres_riancho@rapid7.com for more information.

Will Andrés still be involved with w3af? What will be his role with the Framework?

Yes, Andres will still be involved in w3af's development process with the classical role of project leader (or Benevolent Dictator For Life or BDFL as some like to call it).

Top

Is Rapid7 contributing to the w3af Framework?

Yes, Rapid7 is committed to the w3af community and will be contributing full time developers that will accelerate the impact that the w3af project will have in the community by increasing development output, expanding quality assurance efforts, implementing best practices and increasing community outreach.

Can Rapid7 competitors contribute to w3af?

Of course, the w3af project will remain open source and anyone can contribute to it.

Will Andrés join the Rapid7 staff at the Company headquarters in Boston?

Andres resides in Buenos Aires in Argentina. He will spend the majority of his time there, building out and managing the Web Security Center of Excellence. Andres will be traveling to Rapid7’s worldwide headquarters, development centers and other offices on a regular basis.

How is this different than Rapid7’s acquisition of Metasploit?

In this case, Rapid7 is sponsoring the w3af project rather than an outright acquisition. What is similar though is that there will be significant support from Rapid7 for the project as well as strong cross-pollination between the open source project and commercial Rapid7 offerings to enhance the overall security risk posture for organizations.

Why is Rapid7 interested in supporting open source projects like Metasploit and w3af?

As Sheldon Malm, Rapid7’s Senior Director of Security Strategy and Alliances stated “Rapid7 has always believed in making a fundamental difference in our space, bringing people together to drive change…”

Rapid7 remains firmly committed to driving change in the security industry and believes that open source development is one of the keys to proactive security. It is critical for our industry to support current projects and to encourage others in the community to start new ones. Given the pace of security innovations, proprietary software development models are doomed to a perpetual game of catch-up if they operate in isolation. Collaborating with the security community at large is the only way our industry can truly keep pace with the continuous change in today's threat landscape.

By collaborating with the community we can build a fundamentally better security ecosystem to the benefit of everyone who participates – suppliers, customers, partners, security professionals, and even competitors. Rapid7’s collaboration with the Metasploit penetration testing framework is a great proof point of how well such a partnership can work.

Rapid7 has invested in full-time resources for Metasploit that have empowered the Project to greatly accelerate its development while at the same time providing maturity for quality assurance and development processes. Since the acquisition of Metasploit, Rapid7 and the Metasploit team have released five versions of the Metasploit Framework - five times the annual rate prior to the acquisition. In the first half of 2010, the Metasploit Framework was downloaded or updated by over 740,000 unique individuals, nearly double the amount of participants in the second half of 2009. This growth added to the success of other community-based products, like the Nexpose Community Edition, a free single-use vulnerability management product that includes out-of-the-box integration with the Metasploit Framework.

At the same the collaboration has allowed us to enhance our offerings for those organizations that desire the support of a commercial offering as we have demonstrated with the launch of Metasploit Express.

We see a very similar opportunity with w3af. w3af has a similar value proposition and reputation in the community, in this case for its open source Web application security technology. w3af’s founder Andres Riancho will join Rapid7 as an employee and will play a significant role in the cross pollination between the open source Web application security community and Rapid7’s commercial Web security offerings.

How will this impact Bonsai?

Bonsai Information Security, the company that Andres Riancho founded in 2009, will benefit from this announcement by partnering with Rapid7 to provide world-class Web Application Penetration Testing services.

Will Rapid7 commercialize any of the w3af technology?

Yes, however Rapid7 remains committed to the open source w3af project, as it has with Metasploit.

Most Read

Most Downloaded

Press Releases

Copyright © 2011 Rapid7 ® All Rights Reserved.
Legal
Privacy Policy
Disclosure Policy
Site Map