We’ve been looking at some of the emerging trends in IT security, and one is that of penetration (’pen’) testing moving up into enterprise respectability. In fact, pen-testing is moving right into the network operations center (NOC). With a slew of easy-to-use tools, the average Joe sysadmin can demonstrate the impact of exploits and test defenses even though he may not understand the details of what he’s doing. It’s a trend because the tools (both open source and proprietary) have matured to the point that forward-looking enterprises no longer view basic pen-tests as something well out of their competency.

By the way, the trend benefits real expert pen testing professionals and organizations as well: as enterprises understand the threats better, we imagine a conversation something along the lines of, ‘Okay, we’ve run Core, we’ve run Canvas, we’ve run Metasploit, and we caught most of the stuff that we can see. Now you guys come in and test us on the stuff we missed.’ Increasingly, the people hired in these cases will have more than one of the same tools in their toolkit as well.

In the old days, C-Level staff would think of pen testers as some kind of counterculture anarchists, probably unwashed and certainly untrusted. And the arcane nature of pen testing and high barriers to entry (intimate knowledge of computer systems and application, audacity, time) meant that pen testing was done by forward looking organizations with the budget to hire a specialized practitioners or consultancies and services organizations like @Stake or X-Force to come in and break stuff.

Over the past few years, in lockstep with an explosion of malware and information about vulnerabilities in systems and applications, has come the liberating force of free and open source tools, an open security research community and, best of all, in the past two years, an open framework in Metasploit. All this has made it easier than ever to start breaking stuff, and lets users with even limited skill sets experience the rush of success which leads to further experimentation and learning.

Exploit frameworks commoditize exploit development, and remove some of the mystery. With its open source approach (and LGPL license), Immunity Security co-founder Dave Aitel has made sure that the Canvas community is able (and willing) to contribute to the project, and the mix of open source and proprietary down in Miami allows Dave, Justine and Immunity’s far-flung team to spend full time on QA’ing their exploits and working on new product development while maintaining an open feel (if it’s not true GPL open source, it’s certainly as open as, say, Red Hat - and even Metasploit isn’t true open source any more either, if you wanna get technical about it — From version 3 onwards, Metasploit has a hybrid proprietary license allowing distribution and modification, but it does not allow itself or derivative works to be sold. Creator HD Moore believes the new license is fair and flexible enough to avoid the kinds of developer backlash experienced by other companies like Sourcefire and Tenable Network Security, but strong enough to protect the interests of developers from unfair commercial exploitation).

And then there’s the proprietary stuff.

A minor and mainly good-natured cultural rift now divides the pen-testing space between those who are cashing in on the trend by focusing on the development of automated, more user-intuitive, GUI-based testing products and those who, in defiance of the ‘Pen testing for the masses’ trend, continue to focus most of their attention on exploit development, without much thought about user-friendliness. The internal schism, though, has actually created classes of products which tend to complement, rather than compete with, each other.

This is all great news for users.

We were over at Core Security’s very pretty headquarters in Boston this week discussing this. Core Security makes enterprise class, easy-to-use, easy-to-operate, non-threatening pen test software, and that is not an easy task. Impact is entirely enterprise-focused in that it is Windows-based, GUI-only (unless you really bug them about a CLI), and lets users run fully automated pen-tests targeting groups of machines simultaneously. It can produce reports from essentially formatted console output right up through colorful, pretty-picture-filled executive summaries. It’s designed to let relatively inexperienced users perform a range of pen-testing tasks, demonstrating the impact of exploits and calling in the cavalry when they find something of real interest (it’s also capable of being used to escalate things several levels; in the hands of an expert, Core is a useful, time saving tool as well, though experts will have a range of tools with which to augment Core’s functionality that would not be available to novices).

Consider some recent 451 analysis I published on the subject:

Metasploit is innovative technology that we believe will stay true to its open source roots despite its license change. As such, it will be perennially underfunded, short on development resources and behind the curve in terms of regularly produced and quality-tested exploits. [...There] is reason to believe that Moore et al. are accomplishing their goal: creating a useful and free platform that newbie and expert security researchers alike can use to learn more about vulnerabilities and exploits. (Metasploit completes license change, updates pen-test platform, 2 August 2006)

and

Impact 6.0’s client-side framework does bring some sexy new functionality, with GUI improvements that further lower barriers to use, to enable relatively unskilled employees to perform automated, assisted pen tests (Core Security beefs up its GUI, adds more client-side exploits and a multitasking agent, 24 August 2006)

and

Immunity is adding functionality to its flagship Canvas platform, integrating tools like VisualSploit and Spike Proxy (a GPL’d fuzzer written by CTO Dave Aitel), and partnerships with Argeniss and Gleg, with exploits targeting Oracle and SSL, IMAP and LDAP. (Immunity integrates Spike, launches VisualSploit and builds out its partner program, 21 July 2006)

The main players are adding functionality, integrating interesting features and playing to larger rooms.

Core’s recent partnership with patch-management vendor Patchlink (which allows Core users to push Patchlink agents onto exploited hosts), highlights its strides towards enterprise legitimacy. As one basic example of what I mean by ‘time saving’, Core’s console automatically configures its web servers to listen on the appropriate ports for client-side exploits as they call back - no manually setting the listener ports, just send the thing and Core listens, even when you send out mass emails of webbug-laden mail. It’s not essential but it’s really nice.

But at $25 grand per seat per year, Impact costs about nine times more than Canvas, the nearest comparable commercial product, and a gazillion times more than Metasploit, which is, uh, free.

If you’re in pen testing, you probably have a whole range of tools of which Metasploit is one already and Canvas may be. If you’re a skilled enterprise pen tester with Core, you probably have all three. And the community is tight, and there’s mutual respect for what each party is after and surprising little overlap.

And that is what all this has got to do with Open Source. Even the proprietary players in this space are, at heart, researchers, and researchers love open source. HD Moore told me the other day that, ‘Core has quite a few features that Metasploit is still working on, and thankfully their developers tend to be fans of Metasploit and released their protocol code as open-source (Impacket). The features on the TODO list include DCERPC packet privacy and some fun state-engine evasion bits covered in my Thermoptic Camouflage talk from Black Hat 2006.’

When the folks who are sometimes accused of selling out to da man are sharing their good stuff with the guy who’s credited with empowering da great unwashed, times are good.