First up a quick Troll shoot.
- The license for Metasploit stays BSD.
- Metasploit continues to be a community driven project.
- When an Open Source project gets commercial backing the developers on that project don’t need day jobs anymore. They also get resources, tools, and budgets. This in my opinion means a lot of new code for this project in a short period of time. I saw exactly this when I started with Sourcefire almost 7 years ago, no more small releases just big old feature releases.
- Faster exploit development. If you have resources and people you can quickly setup development environments, test things, reverse things, and build Metasploit modules. I’m guessing the number of exploits in Metasploit will quickly eclipse CORE and Immunity within a 6-month timeframe. I’m guessing this will follow the same course as with the Sourcefire VRT; go from 3k rules to 5k rules overnight.
- Stability and Reliability. If you buy something you want it to work and if you’ve got resources your Open Source users expect a higher quality product. I’d assume they are going to hit this area first.
On the Vulnerability Management side, I think this changes the game for guys like nCircle and Tenable as Rapid7’s NeXpose™ product will be the only Vulnerability Management tool that can actually prove what it is reporting. It also gives Rapid7 the interesting advantage of being able to live test mitigation strategies and defenses. This is something that other vulnerability management solutions can’t do out of the box. That said it is going to be interesting to see how this integration takes place, and how many people are willing to click the “exploit host” button if that is how it is done.
Outside all that, I always loving seeing Open Source products make it into the commercial game as it continues to show the value of Open Source in the enterprise, and that just because software is free doesn’t mean it’s not worth more than the sum of all its license text.