Microsoft Application Inspector Open Sourced
Written by Kay Ewbank   
Wednesday, 29 January 2020

Microsoft has open sourced Application Inspector, a tool that you can use to check open source components before you use them to see what they really do and whether there are any unusual or worrying features in the code.

Microsoft says Application Inspector is different from other static code analyzers because, rather than looking for 'bad' (or 'good') code patterns, it looks for 'interesting' features and metadata such as cryptography, connecting to a remote entity, and the platforms a component runs on.

microsoft

Application Inspector was originally created for use within Microsoft when software engineers use open source software. The aim is to look for things in the code that would be time-consuming or difficult to identify through manual inspection.

The developers of Application Inspector say it's designed to be used individually or at scale, and can analyze millions of lines of source code from components built using many different programming languages. Microsoft uses Application Inspector to identify key changes to a component’s feature set over time (version to version), as these can indicate anything from an increased attack surface to a malicious backdoor. They also use the tool to identify high-risk components and those with unexpected features that require additional scrutiny,. High risk components include those involved in areas such as cryptography, authentication, or deserialization where a vulnerability would probably cause more problems.

Application Inspector is cross-platform and can produce output in multiple formats, including JSON and interactive HTML. It comes with hundreds of feature detection patterns covering a range of programming languages. Characteristics that are well supported for testing include application frameworks, and cloud and service APIs including  Microsoft Azure, Amazon AWS, and Google Cloud. As you'd expect, platform and cryptography are well covered, with support for symmetric, asymmetric, hashing, and TLS. Data types can be checked for risks including sensitive and personally identifiable information. Other checks include operating system functions such as platform identification, file system, registry, and user accounts, and security features such as authentication and authorization.

Application Inspector is available on GitHub. 

microsoft 

 

More Information

Application Inspector On GitHub

Related Articles

Most Used Stack Overflow Snippet Has A Bug

Microsoft Open Sources SandDance

Microsoft Open Sources Calc

Amazon Inspector For Security Compliance

GitHub Adds Security Alerts 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Banner


Golang Back In TIOBE Top 10
21/02/2024

Google's system language Go is ranked #8 in the TIOBE Index for February 2024. This is the third time it has entered the Top 10. However, it is now in the highest position it has ever had to date.



Android 15 Developer Preview Released
19/02/2024

Android 15 Developer Preview has just been released by the Android team with features including partial screen sharing and the latest version of the Privacy Sandbox.


More News

raspberry pi books

 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Wednesday, 29 January 2020 )