Interview: HD Moore, Chief Security Officer at Rapid7, Chief Architect And Creator of Metasploit

HD Moore, Creator of Metasploit
HD Moore, Creator of Metasploit

In 2008, Rapid7 realised that it need some super-important people as a priority. Jen Ellis, director of global communications at Rapid7, says it also agreed with Metasploit’s view that enterprises need more that just the ability to recognise some security holes in their IT systems because they “need more information than just to know if you have a hole.” Rapid7 knew they needed a solution to detect the reason for its occurrence, but the question was how they could offer a solution that could help customers to figure out the causes of a critical data event or whether known exploits exist that are being used against them.

Filling Security Holes

Metasploit provided the answer. Rapid7 acquired Metasploit in 2009 and allegedly its creator, HD Moore. This acquisition formalised their relationship as Moore had worked with Rapid7 on some “co-development projects, and then they decided that it made more sense to actually acquire it and roll it inside a new commercial product.” Apparently, ‘the powers that be’ at Rapid7 were attracted to Metasploit’s open source architecture, community orientation, and the interest that people already had in it. HD Moore jokes that his hobby has now become his job.

With HD Moore having been ‘acquired’, Rapid7 gained more purpose and direction. “I think it really helped to clarify the vision that we have around the fact that security is like this big, complex mess, and there is no silver bullet, which is a terribly cliché, but it is true”, says Ellis, with reference to reports that the IT security situation is getting worse. In fact Moore agrees with this statement, and they both agree that not enough is being done in the right areas.

Post-Acquisition Changes

Moore adds that one thing changed after Rapid7’s acquisition of Metasploit. The company realised that Rapid7’s vulnerability management solution NeXpose is the product but not the company. The firm is “the power of the solution”, says Moore. He claims that it’s about how the company sells things, “what we’re actually building, what we’re trying to solve, to help the company to focus more on the overall goal of helping our customers to become more secure as opposed to us being needle-focused on the product’s future success and roadmap.”

The Road to Success

So by coming on board more formally, HD Moore has helped to create a broader security mindset for the benefit of Rapid7’s customers. However, his path to the door of Rapid7 wasn’t an easy one. He reveals that customers felt that his research was quite scary, owing to the fact that they were - perhaps still are - risk-averse.

“So I’ve been dragged in front of boardrooms a lot of times, I was fired a bunch of times, like a bad media bunch”, he says. The fact that Metasploit was open source created some resistance, and he found that many people complained that he was “arming the script kids; ‘you’re providing bad tools to the bad people’” he would get told. Whilst Metasploit is now a huge success, this kind of attitude against open source solutions hasn’t gone away.

“We’ve made our point, and we’ve more than justified how we do things, which is, the bad guys don’t need Metasploit as they are going to own it anyway”, he claims. This is because the administrators test their own solutions to the same level, and so he says that “we get the same playing field, and I think we’re fine with that case but it’s a really tough process to get there.”

In spite of the criticisms that people have levied against the selling of open source exploits, Moore stands behind them. He thinks it’s vital to level the playing field, to help administrators to understand the real risks as “you can’t sell it, you can’t hide it and you can’t make it proprietary.”

To him this means putting all of his cards on the table before making it available to everyone by giving them all the “same equal rights to the tools and the technology to raise the bar and we think we’ve finally got there.” In other words companies will know they have improved their security, or have achieved a high level of security, if they can defend their systems against them.

Not Enough Useful Tools

Moore argues a current market focus on innovation and increased collaboration amongst the black hat market. In contrast, he says of the defense industry, that too many companies aren’t putting enough value “into actually providing useful tools and solutions, so you see a lot of organisations that really focus on the information and intelligence they’ve got as being the one thing that sets them apart, and for that reason they can’t share it.”
In contrast Moore points out that there are organisations like SourceFire and the more open source orientated companies that provide “a whole solution for doing instant management, instant response, and those folks really do a lot for the community….and they share their data.”

Unfortunately, he says, there are 100 different vendors that only re-package what SourceFire (as an example) has already built. In other words, the vendors that are operating in the open source space are more community-minded than those that aren’t. Some of the non-open source vendors that don’t contribute to the community, but which may exploit it, are in his view “simply leeches”.

Possible to Avoid Threats

As for the rise in IT security threats, Moore agrees that many of them could be avoided. “You don’t need technology. If folks tie the processes down to the point that they were good, they wouldn’t need most of the technologies being sold”, he explains.

In other words, it’s important to manage patches properly, guarantee that every system is locked down, properly limit users in their user accounts, segment and so forth. By doing all of this, it’s possible to avoid being compromised in the way that Bit9 was when it had a key stolen. “It was the only one, they’d had their software for so long…they are nice guys, but it turns out that’s not abnormal”, he says. Even Rapid7 uses its own tools and has its own security gaps because Moore concludes that no-one is perfect and therefore the company pen tests any SaaS solution it buys.


What’s hot on Infosecurity Magazine?