Microsoft has announced the release of the source code of your source code analysis tool "Microsoft Application Inspector ", in order to help developers who rely on external software components. Microsoft Application Inspector is a source code analyzer Designed to reveal important features and other characteristics of software components, it uses static analysis with a JSON-based rule engine.
This code analyzer differs from other tools of the same type because it is not limited to detecting only programming practices, since is designed in such a way that, during code control, those characteristics that generally require careful manual analysis are identified and highlighted.
According to the explanations provided by Microsoft about the tool:
Microsoft Application Inspector does not attempt to identify "good" or "bad" models. You are content to report what you find by referring to a set of more than 400 rule templates for feature detection. According to Microsoft, this also includes features that have a security impact, such as the use of encryption and more.
The tool works from the command line and is cross-platform. It is designed to scan components before use to help determine what the software is or does.
The data you provide can be helpful in reducing the time it takes to determine what software components do by examining the source code directly, rather than relying on mostly limited documentation or recommendations.
Microsoft Application Inspector supports parsing of various programming languages, These include: C, C++, C#, Java, JavaScript, HTML, Go, PowerShell, etc, as well as the inclusion of HTML, JSON and text output formats.
Microsoft Application Inspector developers say that is designed to be used individually or at scale and it can analyze millions of lines of source code for components built using many different programming languages.
Microsoft uses the Application Inspector to identify key changes to a component's feature set over time (version by version), as they can indicate anything from an increased attack surface to a malicious backdoor.
They also use the tool to identify high-risk components and those with unexpected characteristics that require additional scrutiny. High-risk components include those involved in areas such as cryptography, authentication, or deserialization where a vulnerability would likely cause more problems.
As the goal is to quickly identify third-party software components at risk based on its specifics, but the tool is also useful in many insecure contexts.
Basically, these are the most important characteristics Microsoft Application Inspector:
- A JSON-based rule engine that performs static analysis.
- The ability to analyze millions of lines of source code from components created with many languages.
- The ability to identify high-risk components and those with unexpected characteristics.
- The ability to identify changes to a component's feature set, version by version, that can indicate anything from a malicious backdoor to a larger attack surface.
- The ability to generate results in multiple formats, including JSON and HTML.
- The ability to discover features that cover Microsoft Azure, Amazon Web Services, and Google Cloud Platform service APIs and operating system features, such as file system, security features, and application frameworks.
As expected, platform and crypto are well covered, with support for symmetric, asymmetric, hash, and TLS.
The types of data can be checked for risks, including sensitive and personally identifiable information.
Other checks include operating system functions such as platform identification, file system, registry, and user accounts, and security features such as authentication and authorization.
Finally for those who are interested In testing Microsoft Application Inspector, they should know that it is already available on GitHub.