In the blue corner: an open-source exploit pack. In the red corner: a pay-for-play incumbent. As a security professional trying to defend your enterprise against attacks, which corner do you bet on for your penetration tests?
What's the goal of the game?
Okay, this is a loaded question, because it really depends on what your goal is. If you are like 99% of enterprises, you'll want to protect against the biggest and most likely risks. If you are the 1% that comprise defense contractors and the military and have deep pockets, you'll want to protect against all risks, so you'll buy everything that's on the market.
Let's focus on the 99% of enterprises.
Round 1: Pay-for-play exploit packs attack
Coming from the red corner, the pay-for-play exploit packs open with these attacks:
- Keeping attack technology out of the wrong hands: Metasploit is often critiqued as giving weapons to malicious attackers. Here's the dirty little secret: No matter how fast we run as an industry, we're usually anywhere from a month to a year behind the bad guys. They're not stealing ideas from us; we're stealing ideas from them. (And yes, they hate us for it.) In addition, cybercriminals make more money that the average budget of a security professional, so don't think they can't afford pay-for-play packs.
- Exploits are “commercial-grade”: Proprietary software vendors say Metasploit includes untested community contributions that are unstable and jeopardize the stability of the target systems. When Metasploit was still a weekend project of HD Moore's, this may have been true. When Rapid7 acquired the Metasploit project in 2009, we put a 3-step quality assurance process in place that outflanked what vendors of proprietary software can offer: In addition to code reviews and automated QA, we also have the Rapid7 community of 175,000 review the code and test modules before they are accepted in the stable releases and weekly updates. As a result, we've heard from users that Metasploit exploits for the same CVE are more stable than their "commercial-grade counterparts".
Ding, ding. Two points for open source.
Round 2: Open source exploit packs counter
Coming from the blue corner, the open source exploit packs counter with full force:
- Pay-for-play packs are much less relevant: Metasploit focuses on exploits that are the most relevant to security professionals. Our community of 175,000 users, security researchers, and contributors acts as “sensors” for new security trends. We often get submissions from the community that include pcaps of latest attacks, proof of concept exploits, or even full Metasploit exploit modules. The community contributors also try to exploit known vulnerabilities. Not every potential vulnerability can be exploited, so through this process we identify the ones that are easiest – not only for us but also for the attacker – and therefore most likely to show up in real-world attacks. The Rapid7 security researcher team also looks at the latest exploits contained in malware kits to provide safe versions for testing your own network's security. By contrast, pay-for-play exploit packs have to focus on vulnerabilities in more obscure software to differentiate against what's available in open source, which has limited value for enterprise security professionals.
- Pay-for-play packs should be banned from most penetration tests: Many penetration test engagements exclude the use of unpublished zero-day exploits because it's an easy (and lazy) way into an organization that is extremely hard to defend against because they don't reflect what's out in the wild. We established earlier that pay-for-play exploit packs have the same deficiency. Therefore, they should be excluded from most penetration tests that seek to establish the most likely attack vectors.
- Pay-for-play packs are bad value: This is more than just arguing that open source is free and therefore impossible to beat in value. Many proprietary vendors need to make economic decisions on what's easy to exploit and therefore focus on local exploits that can escalate privileges on a machine but not gain access to a system over the network. Local exploits are of limited value to penetration testers, so ask before you sign the check.
- Pay-for-play packs perpetuate cybercrime: Selling a good 0-day in the underground can be a lucrative business, yielding between $20,000 and $250,000 per transaction. By publishing exploits at no cost, Metasploit destroys thousands of dollars that would otherwise go into cybercrime. (And yes, they hate us for that too.) By putting a high price on exploits, pay-for-play vendors are keeping the price for 0days high and are actually playing into the pockets of the criminals.
- Pay-for-play packs don't pressure vendors: Software vendors make economic decisions. They prioritize their software development based on what makes the most money. Security patches are typically pretty low on the list. This has been a huge problem for the security industry at large and explains why many vulnerabilities remain unpatched. However, there is a magic potion: Publishing an exploit for a vulnerability in Metasploit has expedited many security updates that vendors had known about for months. Metasploit's social contract is: Everybody knows, so everybody knows. Pay-for-play exploit kits are less visible and therefore contribute much less to the overall security of the industry. Often, they don't even have a disclosure policy, and there's no way to verify that they're informing vendors. This leads to worse security for everyone and favoring attackers.
- Pay-for-play impose their own value judgment: Exploit-pack vendors who give their software only to certain groups impose their own value judgment on society, deciding that a certain government is allowed to have their 0-days while the freedom fighters aren't. By contrast, open-source a big equalizer and inherently democratic.
... Seven. Eight. Nine. Ten. Knock-out!
Ding, ding, ding.
And the winner is...
Okay, this is the Metasploit blog, so you expected open source to win, but even if the fight was rigged, our arguments are still solid. If you are using open source for your web server because it's open source and more eyeballs create better security, why aren't you doing the same when it comes to your security tools?
Security shouldn't be about who's got the deepest pockets, and that's why we're offering Metasploit Community Edition with all exploits for free. Our commercial edition Metasploit Pro mostly adds features for productivity and reporting, which are targeted at enterprises who can afford to pay for it.
What's your take on open source vs. pay-for-play exploit packs? I'd love to hear your opinion - just sign in and add your comment!