A large number of enterprises and individuals rely on Open Source software for utilities or use them for additional development as ‘Code Reuse’. Developers and also users of applications need to test the third-party open-source software components for security issues; hence a tool was essential to verify them. Developers and users want to know what’s in an open source software component before you use it. Modern software development practices often involve building applications from hundreds of existing components, whether they’re written by another team in an organisation, an external vendor, or someone in the open source community. Reuse has great benefits, including time-to-market, quality, and interoperability, but sometimes brings the cost of hidden complexity and risk.
The static source-code analyzer aims to help developers handle potential security issues that arise through code reuse when incorporating open-source components, such as software libraries, into a project. Microsoft had also developed software that could test open source software to provide its customers high-quality software and services. Recognizing the inherent risks in trusting open source software, Microsoft had created a source code analyzer called “Microsoft Application Inspector” to identify ‘interesting’ features and metadata, like the use of cryptography, connecting to a remote entity, and the platforms it runs on.
Application Inspector differs from more typical static analysis tools in that it isn’t limited to detecting poor programming practices; rather, it surfaces interesting characteristics in the code that would otherwise be time-consuming or difficult to identify through manual introspection. It then simply reports what’s there, without making a conclusion. Microsoft claims the “Application Inspector” static code analyzer is unique among the many static code analysis tools available because it doesn’t try to identify “good” or “bad” patterns but rather attempts to uncover “interesting” features based on over 500 rule patterns. It also has a customizable rules engine.
In a recent announcement, Microsoft has released the “Microsoft Application Inspector”, as open source .NET Core command-line tool for Windows, Linux and macOS that developers can use to analyze third-party open source software components for newly added backdoors and other vulnerabilities.
Application Inspector can be downloaded as a Freeware and can be run to identify interesting features in source code, including enabling the user to better understand the software components that any applications id using. Application Inspector is open source, cross-platform (.NET Core), and can be downloaded at github.com/Microsoft/ApplicationInspector. We can use Application Inspector to identify key changes to a component’s feature set over time (version to version), which can indicate anything from an increased attack surface to a malicious backdoor. We can also use the tool to identify high-risk components and those with unexpected features that require additional scrutiny, under the theory that a vulnerability in a component that is involved in cryptography, authentication, or de-serialisation would likely have higher impact than others. Microsoft, has also solicited feedback and suggestions including ‘code change’ from the environment on the “Application Inspector” tool.