Better is not good enough

Blog Post created by rapid7-admin on Jul 28, 2010

Originally Posted by Sheldon Malm



In July 2009, I posted to the Rapid7 blog that the future is friendly.  In that post, I talked about how we, as vendors and service providers, have not fulfilled our promises to protect our customers, feed the community, and catalyze change.  I admitted that we need to be better, committed that we will be better, and announced to you that it starts now.  Now that we’ve reached the end of July 2010, it seems like an appropriate time to reflect on that optimism, reflect on our commitment, and reflect on the state of our industry. 

Life’s been busy at Rapid7 over the last year, and we’ve been laser-focused on fulfilling these promises. 

Within our own products and services, we’ve started to move the ball forward.  We’ve greatly expanded our detection coverage, speed, and accuracy in NeXpose.  We’ve expanded the scope and maturity of our Professional Services team, broadening the penetration testing, technical assessment, and engagement practices of our folks out there on the road every day.  We acquired the Metasploit project and provided dedicated resources to the community-based framework, released the first commercial version with Metasploit Express, and brought critical intelligence from the penetration testing discipline into NeXpose with Exploit Exposure.  We delivered a free version of NeXpose to the community with NeXpose Community Edition.  All of this has been done to deliver more capability and to make security more accessible to more people by making it easier to use and affordable.  These are important first steps, and while we are extremely proud of the work that our people have done in delivering this value, they are just that: first steps. 

On a personal level, my responsibilities have expanded from Security Strategy to include Strategic Alliances.  This has not only proven to be a personally enriching experience; it has been an important move for Rapid7 to keep our partner strategy focused on collaborations that add value beyond revenue growth for the company.  Our strategic alliances are driven from the core values that I communicated on the blog just over a year ago: to better protect our customers, to better feed the community, and to catalyze change.  We’ve engaged in some important partnerships and collaborations as a result, and we’ve declined a number of opportunities that were not focused on these core values.  We are not trying to become a malware detection company.  We are not trying to become a narrow-focused MSSP.  We are not trying to become a SIEM vendor.  We will continue to be the fastest growing, most innovative Vulnerability Management and Penetration Testing company in our industry because that is the value that customers look for us to provide. 

This focus and relentless execution have brought business benefit to the company, with much more awareness about Rapid7 in the market, 117% growth in Sales in the first half of 2010 over the same period last year, top tier ranking in the latest Gartner Market Scope, recognition as a leader in the latest
Forrester Wave, and increased adoption of our open source and community offerings that have far exceeded our expectations.  When you do the right things at the right time for the right reasons with the right collaborations, you achieve success.  This is the basis of our success to date, and this is the basis of our strategy moving forward. 

We’ve seen change happening on many fronts, and the expansion of community-based collaboration has never been so vibrant.  The launch, community participation, and viral growth of the
Security B-Sides conference series is a perfect example of how the community can come together to provide immediate value.  Within a single year, B-Sides has established itself as an important forum for information exchange and personal connection alongside recognized conferences like BlackHat, DEFCON, RSA, SECtor, and others. 

We’ve seen some changes from our competitors as well.  There is revitalization in the penetration testing technology space that is exciting to see.  People have acknowledged that Vulnerability Management and Penetration Testing solutions must converge for the value of proactive security to grow.  We’d like to think that our activities are a small part of why the competition is re-investing in their value proposition, although they have a long way to go in making penetration testing solutions affordable.  The truth is, they now have no choice – there is an affordable, best-in-class solution available and competition in this sense brings benefits to customers and community. 

The competitive response in the Vulnerability Management space has not been as encouraging.  We’ve seen some vendors ignore these important steps forward, while others continue to release check-the-box features in response.  When we released Exploit Exposure, 1 vendor posted a web page with 12 month top 10 patch rankings, another is working to emulate the feature, and the rest of the pack released crickets back into the wild along with updated press releases about integrations that have existed and have been virtually neglected for years.   We’ve seen one vendor release a limited iteration of our remediation report, with no apparent efforts to raise the quality and precision of the underlying detection that makes remediation-based reporting so valuable.  The others are still without this capability, seemingly missing the point that making security affordable means reducing vendor costs AND cost of operation.  We’ve expanded the value of our mobile solution for consultant laptops, with no notable updates to competitors’ mobile solutions and one competitor who is still unable to deliver a mobile form factor.  We firmly believe that we are still not doing a good enough job at Rapid7, and this lack of compelling competitive response is unacceptable to us as members of our industry and community.   We are continuing to press forward, and we genuinely hope that competitors will step up as the bar continues to be raised. 

One of the most significant areas of investment for us is in web application security.  We have always been significantly ahead of our Vulnerability Management competitors in this regard, with highly scalable web application scanning capabilities delivered from the NeXpose core application and support for AJAX, and Web 2.0 technologies.  Despite this market leadership, we are not satisfied with using this group as our yard stick.  Today, I am pleased to announce that Rapid7 has officially launched our global Center of Excellence for Web Security with the addition of Andres Riancho as Director of Web Security along with collaboration and Rapid7 sponsorship of the w3af open source project.  As you may know, Andres is the founder of the open-source w3af project, an extensible Web Application Attack and Audit Framework that finds and exploits web application vulnerabilities. 

I’m excited about what this means for our company, for our technical solutions, for w3af, and for the value that we can create for customers and the community from this partnership.  Andres and w3af are a perfect fit for Rapid7, expanding the capabilities of NeXpose and our research discipline, supporting the convergence of Vulnerability Management and Penetration Testing/Exploit frameworks, expanding the dynamic nature of solving a dynamic security problem, and providing another important proof point that collaboration between commercial vendors and open source community is the only way to drive meaningful and lasting change. 

As has been the case over the last year, you will see various responses from our competitors.  Many will ignore it and hope it goes away.  It will not.  Others will renew marketing efforts on their existing solutions to divert from their lack of R&D investment.  One competitor has responded with a legacy Network VA approach to the web application problem, providing an inventory of the technologies within web applications.  None of these responses add value to solving the dynamic security problem and they will need to do better just as we need to do better. 

If you haven’t worked with w3af, I encourage you to visit
http://w3af.sourceforge.net/ to see the great work that Andres and the contributing community have done to date.  Andres will remain the project owner of w3af, accelerating the expansion of its capabilities and maintaining the project as open source. 

I’d like to thank Andres for his contributions to our industry and community, and for agreeing to join the Rapid7 family.  I’d like to thank customers for continued support of Rapid7 and for your valuable feedback on how we can make our products and services better for you.  Finally, I’d like to thank the community for your cautious optimism following the Metasploit acquisition, your support in adopting our free and open source solutions, and for your tireless efforts in moving the state of security forward. 

I firmly believe that we collectively have started to drive change.  We are on the right path and we have a lot of work ahead of us.  I believe that we will be even better one year from now, and I’m just as certain that it still won’t be good enough.  That’s the journey that drives our passion for everything we do and we couldn’t do it without you.  We hope you feel the same way.