Microsoft’s offers Application Inspector to probe untrusted open source code

Microsoft has released the Microsoft Application Inspector, an open source .NET Core command-line tool for Windows, Linux and macOS that developers can use to analyze third-party open source software components for newly added backdoors and other vulnerabilities. 

Microsoft claims the Application Inspector static code analyzer is unique among the many static code analysis tools available because it doesn’t try to identify “good” or “bad” patterns but rather attempts to uncover “interesting” features based on over 500 rule patterns. It also has a customizable rules engine. 

The tool aims to identify features of software components that affect security, such as the use of cryptography, components that connect to a remote entity, and platforms it runs on. 

“Application Inspector differs from more typical static analysis tools in that it isn’t limited to detecting poor programming practices; rather, it surfaces interesting characteristics in the code that would otherwise be time-consuming or difficult to identify through manual introspection. It then simply reports what’s there, without judgement,” says Microsoft’s Customer Security and Trust team

Microsoft provides a short snippet of Python code to illustrate that the tool can see that a program downloads content from a URL, writes to the file system, and then executes a shell command to list details of a file. 

However, it argues that developers would often need to inspect components that contain tens of thousands of lines of code, with many modern web applications relying on hundreds of components. 

The tool, it promises, can analyze millions of lines of source code from components that are built in multiple popular programming languages, although it hasn’t specified which languages other than Python. 

Microsoft says the open source tool helps it spot risky and unexpected features in components that deserve extra attention, such as typically high-impact components that handle cryptography, authentication and deserialization. 

The resulting report delivers a list of components in an application as well as icons next to each of them signaling the specific features identified in the source code. It also has a more detailed explanation and provides links to view the source code snippets behind each feature. 

Characteristics it is capable of looking for include development and testing application frameworks; cloud interfaces for Microsoft Azure, AWS, and Google Cloud Platform; cryptography; sensitive data types and PII; operating system functions; and security features like authentication and authorization. 

Related:

Copyright © 2020 IDG Communications, Inc.

The 10 most powerful cybersecurity companies