|Microsoft Application Inspector Open Sourced|
|Written by Kay Ewbank|
|Wednesday, 29 January 2020|
Microsoft has open sourced Application Inspector, a tool that you can use to check open source components before you use them to see what they really do and whether there are any unusual or worrying features in the code.
Microsoft says Application Inspector is different from other static code analyzers because, rather than looking for 'bad' (or 'good') code patterns, it looks for 'interesting' features and metadata such as cryptography, connecting to a remote entity, and the platforms a component runs on.
Application Inspector was originally created for use within Microsoft when software engineers use open source software. The aim is to look for things in the code that would be time-consuming or difficult to identify through manual inspection.
The developers of Application Inspector say it's designed to be used individually or at scale, and can analyze millions of lines of source code from components built using many different programming languages. Microsoft uses Application Inspector to identify key changes to a component’s feature set over time (version to version), as these can indicate anything from an increased attack surface to a malicious backdoor. They also use the tool to identify high-risk components and those with unexpected features that require additional scrutiny,. High risk components include those involved in areas such as cryptography, authentication, or deserialization where a vulnerability would probably cause more problems.
Application Inspector is cross-platform and can produce output in multiple formats, including JSON and interactive HTML. It comes with hundreds of feature detection patterns covering a range of programming languages. Characteristics that are well supported for testing include application frameworks, and cloud and service APIs including Microsoft Azure, Amazon AWS, and Google Cloud. As you'd expect, platform and cryptography are well covered, with support for symmetric, asymmetric, hashing, and TLS. Data types can be checked for risks including sensitive and personally identifiable information. Other checks include operating system functions such as platform identification, file system, registry, and user accounts, and security features such as authentication and authorization.
Application Inspector is available on GitHub.
or email your comment to: email@example.com
|Last Updated ( Wednesday, 29 January 2020 )|