Microsoft has introduced a new source code analyzer tool dubbed Microsoft Application Inspector. The tool is designed to “identify interesting features in source code” and can help enable developers understand software components your apps use.
Guy Acosta and Michael Scovetta, of Microsoft’s Customer Security and Trust team, announced the new tool on January 16 in a blog post.
They added the tool is different from other static analysis tools in that “it surfaces interesting characteristics in the code that would otherwise be time-consuming or difficult to identify through manual introspection.”
Key scenarios
Organizations and users can use Application Inspector to “identify key changes” to software component’s features over time. Such changes could lead to higher risk issues, such as malicious backdoors or increased attack surfaces.
“We also use the tool to identify high-risk components and those with unexpected features that require additional scrutiny, under the theory that a vulnerability in a component that is involved in cryptography, authentication, or deserialization would likely have higher impact than others,” Microsoft added.
Sample reports
Microsoft also provided some sample reports, such as key application features identified in source code (see Figure A).
Each of the features (icons) can then be expanded to reveal more specific categories. As pictured in Figure B below, categories can include network communications, file write, file delete and multi-threaded issues.
Characteristics
Microsoft also said Application Inspector includes support for popular detection patterns, to include the following characteristics:
- Application frameworks (development, testing).
- Cloud / Service APIs (such as Microsoft Azure, Amazon AWS, and Google Cloud Platform).
- Cryptography (symmetric, asymmetric, hashing, and TLS).
- Data types (sensitive, personally identifiable information).
- Operating system functions (platform identification, file system, registry, and user accounts).
- Security features (authentication and authorization).
Finally, users can download the open source Application Inspector tool at github.com/Microsoft/ApplicationInspector.