- Application Inspector is a static code analyser that highlights ‘interesting’ features in a report based on over 500 rule patterns
- It is built on .NET Core
According to a report by zdnet, Microsoft has released the Microsoft Application Inspector, an open-source command-line tool. It is used by its engineers to probe third-party open-source software components for security issues.
The report said that that the static source-code analyzer aims to help developers handle potential security issues which come up through code reuse while incorporating open-source components like software libraries into a project.
The report also added that Guy Acosta and Michael Scovetta, members of Microsoft’s Customer Security and Trust team wrote that reuse has great benefits which includes time to market, quality, and interoperability. It also comes with the cost of hidden complexity and risk.
They further commented that the user trusts the engineering team but the code they write accounts for only a tiny fraction of the entire application. The report said that Acosta and Scovetta noted that modern web applications often have hundreds of third-party components. They contain tens of thousands of lines of code, which are written by thousands of contributors. Most of the times, developers who use those components rely on the author’s description which may not be reliable or enough to meet Microsoft’s responsibility for shipping secure code which includes external components.
According to Microsoft, the Application Inspector is a unique static code analyzer. This is because it does not flag ‘good’ or ‘bad’ patterns. It highlights ‘interesting’ features in a report based on over 500 rule patterns. The tool can help identify these interesting characteristics more quickly than manual introspection. Application Inspector is built on .NET Core. It can be used by developers on Windows, Linux or macOS.
The report said that Application Inspector produces a browser-based report that summaries the major characteristics identified. It includes application frameworks, cloud interfaces, cryptography, sensitive data like access keys, personally identifiable information, operating system functions, and security features.