Microsoft Application Inspector Open Sourced
Written by Kay Ewbank   
Wednesday, 29 January 2020

Microsoft has open sourced Application Inspector, a tool that you can use to check open source components before you use them to see what they really do and whether there are any unusual or worrying features in the code.

Microsoft says Application Inspector is different from other static code analyzers because, rather than looking for 'bad' (or 'good') code patterns, it looks for 'interesting' features and metadata such as cryptography, connecting to a remote entity, and the platforms a component runs on.

microsoft

Application Inspector was originally created for use within Microsoft when software engineers use open source software. The aim is to look for things in the code that would be time-consuming or difficult to identify through manual inspection.

The developers of Application Inspector say it's designed to be used individually or at scale, and can analyze millions of lines of source code from components built using many different programming languages. Microsoft uses Application Inspector to identify key changes to a component’s feature set over time (version to version), as these can indicate anything from an increased attack surface to a malicious backdoor. They also use the tool to identify high-risk components and those with unexpected features that require additional scrutiny,. High risk components include those involved in areas such as cryptography, authentication, or deserialization where a vulnerability would probably cause more problems.

Application Inspector is cross-platform and can produce output in multiple formats, including JSON and interactive HTML. It comes with hundreds of feature detection patterns covering a range of programming languages. Characteristics that are well supported for testing include application frameworks, and cloud and service APIs including  Microsoft Azure, Amazon AWS, and Google Cloud. As you'd expect, platform and cryptography are well covered, with support for symmetric, asymmetric, hashing, and TLS. Data types can be checked for risks including sensitive and personally identifiable information. Other checks include operating system functions such as platform identification, file system, registry, and user accounts, and security features such as authentication and authorization.

Application Inspector is available on GitHub. 

microsoft 

 

More Information

Application Inspector On GitHub

Related Articles

Most Used Stack Overflow Snippet Has A Bug

Microsoft Open Sources SandDance

Microsoft Open Sources Calc

Amazon Inspector For Security Compliance

GitHub Adds Security Alerts 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on, Twitter, Facebook or Linkedin.

Banner


Udacity Offers Free Access To Nanodegree Programs
26/03/2020

Udacity has come up with a positive response to social isolation. Its Quarantine Special offers Free Access for 30 days to any of 40 nanodegree programs, including many we've introduced before.



Trio Of Microsoft Certifications Bite the Dust - UPDATE: Deadline Extended
27/03/2020

Having recently announced the imminent end of the Microsoft Certified Solutions Developer/Expert/Architect certifications, Mircrosoft has extended the retirement date by seven months, to January 31,20 [ ... ]


More News

graphics

 



 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Wednesday, 29 January 2020 )