Microsoft Released Source Code Analysis Tool “Application Inspector”

January 16, Microsoft released Microsoft Application Inspector, a tool to analyze open source component security problem.

Microsoft Application Inspector is a command line tool that provides static source analysis. Implemented with .NET Core, it runs on Windows, MacOS, and Linux. Using JSON-based rule engine, it identifies things like what function the component uses,
or what function of OS, framework, and library the component uses internally. It can identify information like whether the target component uses cryptography, whether it communicates with remote entity, or which platform it operates on. The results are output in various formats including JSON and HTML.

It is a tool that was originally developed by Microsoft to use external open source components in-house. Unlike typical static analytics tools, not only that it detects ill programming practices, but also code characteristics that are difficult to find through manual inspection. For example, at Microsoft, they use Application Inspector to identify how a feature set of a certain open-source component changes while moving to a newer version. This helps understand whether there’s a malicious backdoor or an increasing attack surface.

It supports major programming languages. As to detection patterns, there are over 500 rule patterns in characteristics such as framework (development, testing), cloud/service APIs (Microsoft Azure, Amazon AWS, and Google Cloud Platform), cryptography (symmetric, asymmetric, hashing, and TLS), data types (sensitive, personally identifiable information), operating system functions, and security features. Note that the results are reported as they are detected, and not expressed simply like “good” or “bad”.

Microsoft Application Inspector is available on the project website.

Microsoft Application Inspector
https://github.com/Microsoft/ApplicationInspector