List,
I'm sure you've got many questions about the w3af partnership with
Rapid7, that's why we created this FAQ that will answer most of your
questions.
Q. What’s the new partnership between w3af and Rapid7 all about?
As of July 28, the Web application security w3af project is announcing
its partnership with Rapid7, which includes sponsorship to fund its
open source development. Rapid7 has hired me to launch its worldwide
Center of Excellence (COE) for Web Security. With the partnership of
w3af and outreach to other key industry players, Rapid7 continues its
commitment to extend its recognized leadership position for
application level vulnerability management (see recent Forrester’s
recent Wave for vulnerability management) to become the leading
solution for securing Web and application infrastructure.
Q. Is Rapid7 acquiring w3af?
No.
Q. Why did I join Rapid7? What is my new role?
There was mutual interest on both sides to work closely together. I
was impressed by Rapid7’s track record as one of the fastest growing
security companies worldwide, its clear vision and relentless focus on
solving real security issues, and finally its unwavering commitment
and support for the broader security community. The accelerated
growth of the Metasploit project since Rapid7’s acquisition in October
2009 was tangible evidence of the benefits that can be achieved when
commercial vendors and community projects come together effectively.
Rapid7 see me as one of the world’s leading experts for Web
application security and w3af has established itself as one of the key
open source security projects with great underlying technology.
As part of the collaboration between Rapid7 and w3af, I will be
joining Rapid7 as Director of Web Security, spearheading Rapid7’s
global COE for Web Security. In my new role, I will accelerate the
development of Web application security technology for the w3af open
source project as well as for Rapid7’s commercial offerings.
Q. Is the Director of Web Security a new position for Rapid7? Who
held it before or why was it created?
Rapid7’s involvement in Web application security is not new. In fact,
Rapid7’s vision from its inception in 2000 was to create broad best
security practices for organizations securing the IT infrastructure
across their networks, operating systems, databases and Web
applications, culminating in the launch of the world’s first unified
vulnerability management solution NeXpose in 2004. The development of
Rapid7’s Web security technology has been spearheaded by founders Tas
Giakouminakis, Rapid7’s CTO, and Chad Loder, Rapid7’s Vice President
of Engineering. Others have followed, with Web application scanning
now considered a must-have for Vulnerability Management vendors to
remain relevant.
The newly created position of Director of Web Security will provide
additional focus for the global Web security COE within Rapid7 and is
an attestation to the company’s commitment to technical leadership in
one of the most critical elements in securing IT infrastructures.
Q. Why is Rapid7 partnering with w3af?
Rapid7 believes that partnering with the open source community can
harness the power of the broader security community to create stronger
commercial offerings while at the same time contributing back to the
open source community. Rapid7’s collaboration with the Metasploit
penetration testing framework has demonstrated how well such a
partnership can work, with acceleration of the open source Metasploit
framework, the creation of a strong and affordable commercial
Metasploit offering, and arguably, revitalization of competitors’
commercial efforts in response to these changes.
w3af has a compelling value proposition and similar reputation in the
community, in this case for its open source Web application security
technology. I will join Rapid7 as an employee and will play a
significant role in the cross pollination between the open source Web
application security community and Rapid7’s commercial Web security
offerings.
Q. How will this impact w3af?
As with the Metasploit collaboration, the impact is entirely positive,
as the w3af project will now have full time developers working to
improve the framework's features and stability. W3af's license and
copyrights remain the same and I will have more time to spend
designing the heuristics and algorithms required to maintain the
framework as a world class Web Application Security solution.
We’ve already hired our first additional employee at the COE and we
are looking to staff several other engineering positions in Buenos
Aires. I’m specifically looking at hiring developers with Python
skills and an aptitude for Web application security. Interested
candidates should contact me at andres_rian...@rapid7.com for more
information.
Q. Will you still be involved with w3af? What will be your role with
the Framework?
Yes, I will still be involved in w3af's development process with the
classical role of project leader (or Benevolent Dictator For Life or
BDFL as some like to call it).
Q. Is Rapid7 contributing to the w3af Framework?
Yes, Rapid7 is committed to the w3af community and will be
contributing full time developers that will accelerate the impact that
the w3af project will have in the community by increasing development
output, expanding quality assurance efforts, implementing best
practices and increasing community outreach.
Q. Can Rapid7 competitors contribute to w3af?
Of course, the w3af project will remain open source and anyone can
contribute to it.
Q. Will you join the Rapid7 staff at the Company headquarters in Boston?
I currently live in Buenos Aires in Argentina. I will spend the
majority of his time there, building out and managing the Web Security
Center of Excellence. I will be traveling to Rapid7’s worldwide
headquarters, development centers and other offices on a regular
basis.
Q. How is this different than Rapid7’s acquisition of Metasploit?
In this case, Rapid7 is sponsoring the w3af project rather than an
outright acquisition. What is similar though is that there will be
significant support from Rapid7 for the project as well as strong
cross-pollination between the open source project and commercial
Rapid7 offerings to enhance the overall security risk posture for
organizations.
Q. Why is Rapid7 interested in supporting open source projects like
Metasploit and w3af?
As Sheldon Malm, Rapid7’s Senior Director of Security Strategy and
Alliances stated “Rapid7 has always believed in making a fundamental
difference in our space, bringing people together to drive change…”
Rapid7 remains firmly committed to driving change in the security
industry and believes that open source development is one of the keys
to proactive security. It is critical for our industry to support
current projects and to encourage others in the community to start new
ones. Given the pace of security innovations, proprietary software
development models are doomed to a perpetual game of catch-up if they
operate in isolation. Collaborating with the security community at
large is the only way our industry can truly keep pace with the
continuous change in today's threat landscape.
By collaborating with the community we can build a fundamentally
better security ecosystem to the benefit of everyone who participates
– suppliers, customers, partners, security professionals, and even
competitors. Rapid7’s collaboration with the Metasploit penetration
testing framework is a great proof point of how well such a
partnership can work.
Rapid7 has invested in full-time resources for Metasploit that have
empowered the Project to greatly accelerate its development while at
the same time providing maturity for quality assurance and development
processes. Since the acquisition of Metasploit, Rapid7 and the
Metasploit team have released five versions of the Metasploit
Framework - five times the annual rate prior to the acquisition. In
the first half of 2010, the Metasploit Framework was downloaded or
updated by over 740,000 unique individuals, nearly double the amount
of participants in the second half of 2009. This growth added to the
success of other community-based products, like the NeXpose Community
Edition, a free single-use vulnerability management product that
includes out-of-the-box integration with the Metasploit Framework.
At the same the collaboration has allowed us to enhance our offerings
for those organizations that desire the support of a commercial
offering as we have demonstrated with the launch of Metasploit
Express.
Rapid7 sees a very similar opportunity with w3af. w3af has a similar
value proposition and reputation in the community, in this case for
its open source Web application security technology. I will join
Rapid7 as an employee and will play a significant role in the cross
pollination between the open source Web application security community
and Rapid7’s commercial Web security offerings.
Q. How will this impact Bonsai?
Bonsai Information Security, the company I founded in 2009, will
benefit from this announcement by partnering with Rapid7 to provide
world-class Web Application Penetration Testing services.
Q. How will Rapid7 leverage the Web application skill set that w3af
has? How will this impact Rapid7 customers?
W3af’s skill set for Web application security will be highly
beneficial in enhancing Rapid7’s commercial offerings. Rapid7
customers will see dramatic improvements in NeXpose's Web Application
Security Scanning performance, further enhancements in scan accuracy,
broader scope of vulnerabilities detected and enhanced support for
client side technologies that are widely used. Already considered
best-in-class among Vulnerability Management solutions, the addition
of the skills, knowledge, and abilities from w3af will further widen
the gap between Rapid7 technologies and the rest of the pack. As with
the Metasploit collaboration, the addition of this skill set raises
the bar for competitors to deliver more value to their customers or
lag behind in their capabilities. World-class security research is a
highly specialized skill and Rapid7 now has 3 centers of research
excellence working together to provide proactive threat management to
our customers and community user base.
Q. Will Rapid7 commercialize any of the w3af technology?
Yes, however Rapid7 remains committed to the open source w3af project,
as it has with Metasploit .
The FAQ can also be found online at the w3af website [0]. Thanks!
[0] http://w3af.sourceforge.net/rapid7-faq.php
Regards,
--
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/
------------------------------------------------------------------------------
The Palm PDK Hot Apps Program offers developers who use the
Plug-In Development Kit to bring their C/C++ apps to Palm for a share
of $1 Million in cash or HP Products. Visit us here for more details:
http://p.sf.net/sfu/dev2dev-palm
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
