Now reusing of code will be less risky
A piece of news coming from Microsoft that Application Inspector is now open source, made software engineers bit happy. The tool Application Inspector can be used to check open source components prior they are put in to use. As per the officials, Application Inspector is different from other available static code analyzers. It works differently by looking for interesting features and metadata like cryptography, connecting to a remote entity, and the platforms on which a component runs.
Dynamics 365 for finance application Inspector was initially developed for in-house use by Microsoft when software engineers take the help of open source software. The goal is to search for the things within the code that would take more time for developers or harder to detect with manual assistance.
Today, most of the software development practices include building apps from hundreds of available components, regardless of who has written them. It could be a team in the organisation or someone from the open source community. Reuse has its own advantages, such as quality, interoperability, and time-to-market. However, at times it also brings the cost of hidden risks and complexities.
Companies have faith in their engineering team, but the code was written by them often accounts for merely a tiny fraction of the whole app. How does the company understand the functioning of all those external software components?
At Microsoft, software engineers take the help of open-source software to deliver premium quality software and services to the customers.
Application Inspector surfaces interesting characteristics in the code and saves time and simply reports what’s there without any judgment.
Take an instance of this snippet of Python source code –
Pasted Graphic.tiff ¬
Here in the example, you can find that a program used for downloading content through a URL writes it to the file system first. After that, it executes a shell command to list details of the particular file. When a developer uses Application Inspector to run this same code, he will see the following features detected that explain the capabilities of the product-
- Write
- Connection.Http
- DynamicExecution
Application inspector is intended to be used separately or at scale and has the power to analyse millions of source code lines through components made with distinct programming languages. This is something impossible with manual efforts.
How and where Application Inspector Could Help?
Software development teams can use the Application Inspector to detect key changes to the features of a component, which can be anything from an advanced attack surface to a malicious backdoor. There are tools that can be used to find high-risk components and those with unexpected features requiring extra scrutiny. Application Inspector would have a great impact on cryptography, authentication, and deserialization as compared to others.
This latest source code analyser is the new tool by Microsoft which doesn’t focus on finding poor programming practices within analysed code. The need for Application Inspector is rooted in the vast use of multiple components when developing an app, including proprietary and open-source code. This cross-platform, command-line tool can deliver results in multiple formats, such as HTML and JSON. It also has hundreds of feature detection patterns, custom-made for most used programming languages.
Application Inspector comes with great support for the following characteristic types-
- Application Frameworks (testing and development)
- Cryptography (Symmetric, asymmetric, TLS, and hashing)
- Cloud / Service APIs (Amazon AWS, Microsoft Azure, and Google Cloud Platform)
- Data types (Sensitive, personally detectable information)
- OS functions (file system, registry, platform identification, and user accounts)
- Security features (authentication and authorisation)
- Control Flow (Dynamic Code Execution, Process Management)
- Data handling (Object Serialization (XML/JSON)
- PDF, FLash, Silverlight
Reports can be tailored and this process includes specifying either custom rules or a custom report. Operation is simpler. Starting the tool includes the standard .net command-line invocation, that is .net ApplicationInspector.dll if the developer is using Linux or a MacOS system. The component is easy to download to the local testbed in compressed or uncompressed formats.
The component can detect interesting features in source code, allowing you to understand the software components used by your applications. You can download it from GitHub website.
Please feedback and share your experience while using the latest code analyser, i.e. Application Inspector.