Malicious actors are always on the hunt for vulnerabilities in operating systems, web applications, browsers, systems, and third-party software. Such vulnerabilities offer the easiest way to infect systems and breach security. Preventing and mitigating vulnerabilities before attackers can take advantage of them is a central part of what is termed vulnerability management.
Networks constantly change. Systems are added, software and code shifts, users change. This means that vulnerability management has to happen round-the-clock. Vulnerability scanning uncovers risks and vulnerabilities, and these are combated using patches or other solutions.
To help meet this challenge, there exists a number of vulnerability management solutions. These tools carry out the scanning, and suggest remediation action. They are intended to be less reactive, and more proactive, reducing the chance of network attacks.
Within the vulnerability management solution space, there are three big hitters: Rapid7, Qualys and Nessus. Here’s the lowdown on Rapid7.
The King of Vulnerability Management Tools
Established and mature, Rapid7 is probably the overall king of vulnerability management tools. Rapid7's customer list includes Adobe, Amazon.com, Microsoft, Ingram Micro, and Johnson & Johnson.
Rapid7 runs off an “insightOps” platform where you can manage a range of Rapid7 products, each with their individual pricing bracket. From a vulnerability management perspective, the most popular of these products is the Metasploit Framework, an advanced set of tools for creating and deploying exploit code. Metasploit is the world’s leading pentesting tool. Simulated cyberattacks play a big role in vulnerability management, so effective pentesting is a must-have.
Most users pair the Metasploit framework with Nexpose, Rapid7’s vulnerability scanner. Integrating these two – using Nexpose to scan, and Metasploit to pentest – is a common security workflow. Rapid7's Nexpose only offers an XML-based API, though the Metasploit Framework comes with a REST API for added customization.
Rapid7 has an agent that offers continuous monitoring. Unlike Qualys, where scans are queued, Rapid7 sends them in real time. This makes investigating vulnerabilities and revisiting the database straightforward. Rapid7 lets you scan for policy configurations and compare with control requirements, and it integrates well with other vendors.
Rapid7 has a smooth and intuitive web UI that is easy to get to grips with. Beginners tend to find the learning curve a little flatter than with Qualys and Nessus. And if you do run into any problems, thanks partly to its open source origins, Rapid7 boasts a great community portal and plenty of resources.
All that said, Rapid7 isn’t perfect. A big blocker is that the per-asset licensing can get expensive, and the platform is really built for large-scale enterprises. The program itself is far from lightweight. Furthermore, if you need a lot of IT operations management, you might find it lacking.
Overall, Rapid7 should be your choice if exploitation testing makes up a key part of your security assessment approach. In this department, Metasploit coupled with Nexpose is hard to beat.