Microsoft's use of open source tools to ensure high-quality software and services, led them to recognize the inherent risks in trusting such open source software. So they've created a free source code analyzer called Microsoft Application Inspector to help in identifying some interesting features and metadata, such as the use of cryptography, and whether it connects to any remote entity.
The tool will help developers by highlighting security issues on the deployment of open source components like libraries during the reuse of code, as they need to understand what exactly all the external software components does, before placing trust in each of the several contributors to the components.
While Microsoft Application Inspector differs from the more typical analytics in that it's not limited to detecting just poor programming practices, but also surfaces interesting characteristics in the codebase that would otherwise be difficult to identify through the manual introspection.
Different Use Cases for Microsoft Application Inspector
Microsoft Application Inspector covers hundreds of feature detection patterns involving many popular programming languages, with support for the following characteristics: Application frameworks, Cloud APIs, Cryptography, Data types, Operating system functions and Security features for authentication and authorization.
The Application Inspector is used to identify key changes to a given component’s feature set, from version to version, which can indicate such things as increase in attack surface to malicious backdoor. It can also be used to identify high-risk components and those with some rather suspicious features requiring additional scrutiny.
It's cross-platform compliant, meaning the command-line tool can produce output in multiple formats, including JSON and interactive HTML, as can be seen in the HTML report below.
The different icon in the report represents a feature that's identified in the source code, which feature report is further expanded on the right-hand side, and you are able to view the source code snippets by clicking on any of the links.
Getting started with Application Inspector
Microsoft Application Inspector is designed for use by an individual or at scale, and fully capable of analyzing millions of lines in source code from components built from different programming languages, which process is simply not feasible to attempt to do manually.
Using Application Inspector is fairly simple, since it is open source, cross-platform (.NET Core), and available for download on GitHub.
No comments