Today, as Rapid7 announced the sponsorship of a second open source project with its support of w3af, I reflect back on my experience with Rapid7 over the last 9 months. When I agreed to the acquisition of the Metasploit project by Rapid7 in October last year it was with a lot of excitement but also with a small leap of faith. In my initial blog post from October 2009 after the acquisition I spoke about "demonstrating that we mean what we say". I spoke about how Rapid7's resources would help us hammer out Metasploit Framework releases, with better quality assurance, fewer bugs, more exploits, and faster development cycles. In April, we increased the stakes and promised software that would simplify and automate the penetration testing tasks that you do on a daily basis.
How have we done?
Looking back, I'm glad to see that we seem to have achieved these goals. The Metasploit Framework has been integrated in the Rapid7 development process, leading to the improvements the Metasploit community is experiencing today. The Metasploit Framework remains open source.
Since October 2009, the Metasploit team and Rapid7 have released six versions of the Metasploit Framework, culminating with Metasploit 3.4.1. The Metasploit Framework has added 247 new exploit modules and 184 new auxiliary modules since the acquisition. In the first half of 2010, the Metasploit Framework was downloaded or updated by more than 740,000 unique individuals, an increase of over 91 percent compared to the second half of 2009.
In addition, we launched Metasploit Express, a commercial, enterprise-grade product that makes penetration testing easy and scalable.
It seems this experiment was successful. That's why I was thrilled to hear this news:
"Andres Riancho joined Rapid7 to launch its global Center of Excellence for Web Security. Andres is the founder of the open-source w3af project, an extensible Web Application Attack and Audit Framework that finds and exploits web application vulnerabilities".
Why is this great news?
Because Rapid7 is committed to the w3af project, sponsoring its continued open source development and "buying in" by looking at integration with their existing commercial offerings.
This is another proof point that open source can succeed, both as a development model, and a business model, with the right configuration. While the Metasploit project was acquired by Rapid7, the w3af project remains independent but sponsored by Rapid7. I am excited to see what other collaborative models the future brings.
If you are currently thinking about launching your own open-source project, let me encourage you. It is a great way to build innovative technology and to contribute to the community. And don't worry – once the project grows to become too successful for you to do as a hobby, there are many models for you to get the help you need. Metasploit and w3af are just two examples.