Automated penetration testing is finally being taken seriously in the face of the complex, multi-layered threats Rapid 7’s CSO HD Moore has said as his company announced its new revision of the open source tool, Metasploit Pro 4.0.
A million lines of code later from 3.0, Metasloit Pro 4.0 offers a raft of improvements, Moore said, including integration with security information and event management (SIEM), and the ability to attack password insecurities in a range of applications including Outlook, WSFTP, CoreFTP, SmartFTP, TotalCommander, BitCoin, Firefox and IE.
It also now supports testing from the Amazon EC2 cloud and as a VMware image.
But a smaller element of the package is perhaps a telling one, the addition of nine SCADA exploits associated with the infamous Stuxnet malware. This is hugely niche but offers a clue as to why such automated testing is becoming popular for customers that might in the past have seen it as a luxury or simply unnecessary.
The SCADA exploits were added at the request of customers, which raises an interesting point about penetration testing systems - they reflect the worries of real customers. In this instance, HD Moore said, companies in sectors affected by SCADA vulnerabilities were using them to test equipment before deployment as a test of manufacturer’s security claims.
The challenge for penetration testing wasn’t just to find specific holes but to look at whole networks, said Moore.
“Organisations looking to reduce data breach risks need smarter and more efficient security risk intelligence,” said Moore. “One way to get this is through frequent, broad-scale penetration testing. […] Penetration testing will show you how the systems inter-operate,” he said.
Moore promised to give away “90 percent” of the code for Metasploit to fulfil its open source philosophy. Rapid 7 already offers a cut-down version, Metasploit Express, for those organisations that don’t require the more advanced features or who lack the expertise to deploy it.
Metasploit 4.0 will be available from August.