Microsoft has released the Microsoft Application Inspector, a cross-platform open-source command-line tool that its engineers use to quickly probe third-party open-source software components for security issues.
The static source-code analyzer aims to help developers handle potential security issues that arise through code reuse when incorporating open-source components, such as software libraries, into a project.
“Reuse has great benefits, including time to market, quality, and interoperability, but sometimes brings the cost of hidden complexity and risk,” write Guy Acosta and Michael Scovetta, members of Microsoft’s Customer Security and Trust team.
“You trust your engineering team, but the code they write often accounts for only a tiny fraction of the entire application. How well do you understand what all those external software components actually do?”
As they note, modern web applications often have hundreds of third-party components that contain tens of thousands of lines of code, which were written by thousands of contributors. And typically developers who use those components rely on the author’s description, which Microsoft argues is not reliable or enough to meet Microsoft’s responsibility for shipping secure code, which includes external components.
Microsoft argues Application Inspector is a unique static code analyzer because it doesn’t flag ‘good’ or ‘bad’ patterns but rather highlights ‘interesting’ features in a report based on over 500 rule patterns. The idea is that the tool can help identify these interesting characteristics more quickly than manual introspection.
The tool targets features of software components that affect security, such as the use of cryptography, components that connect to a remote entity such as a public cloud, and the platforms it runs on.
Application Inspector is built on .NET Core, which means it can be used by developers on Windows, Linux or macOS.
“Application Inspector’s primary objective is to identify source-code features in a systematic and scalable way not found elsewhere in typical static analyzers. This enables developer and security professionals to validate purported component objectives, eg, a string padding library only does what it says,” Microsoft explains in a wiki.
The tool can analyze millions of lines of source code from components that are built in multiple popular programming languages.
Application Inspector produces a browser-based report that summarizes the major characteristics identified, including application frameworks, cloud interfaces, cryptography, sensitive data like access keys, personally identifiable information, operating system functions, and security features.
But the company stresses that Application Inspector doesn’t remove the need for security code review or a security static analyzer. However, it could be a useful addition for developers facing tight deadlines.
Acosta recently demonstrated Application Inspector at the SecTor conference in Canada.