In a recent blog post, Microsoft announced an open source tool that developers can use to detect security vulnerabilities in their software solutions. The tool is called Microsoft Application Inspector and is available on GitHub. As organizations try to reduce their time to market, oversights may occur due to the complexity of software and the use of open-source components that have not been thoroughly vetted. Application Inspector can be used to identify malicious code or back doors used in custom code solutions.
Microsoft introduced this tool as a result of the amount of external software components that are being used in custom development with little scrutiny being applied to those components. Guy Acosta, a security program manager at Microsoft, further explains:
You trust your engineering team, but the code they write often accounts for only a tiny fraction of the entire application. How well do you understand what all those external software components actually do? You may find that you’re placing as much trust in each of the thousands of contributors to those components as you have in your in-house engineering team.
The Application Inspector is used at Microsoft as a result of open source software projects being incorporated into Microsoft applications. The tool is used to identify “interesting” features, metadata, the use of cryptography and connecting to remote entities, such as an application calling home.
Many static analysis tools exist for analyzing source code that can identify poor or inconsistent coding practices. However, Application Inspector goes beyond that by identifying the intent of the source code. Microsoft has published the following code example that illustrates this. Within this code, a web request is being made to the Microsoft.com website. The data is subsequently written to the file system where the contents are listed.
When Application Inspector analyzes this code, it can identify the following operations took place including:
- FileOperation.Write
- Network.Connection.Http
- Process.DynamicExecution
Image source: https://www.microsoft.com/security/blog/2020/01/16/introducing-microsoft-application-inspector/
Another use case that Microsoft has identified is code drift that occurs across multiple versions of software and how this tool can be used to identify malicious code being introduced. Acosta further explains:
We use Application Inspector to identify key changes to a component’s feature set over time (version to version), which can indicate anything from an increased attack surface to a malicious backdoor. We also use the tool to identify high-risk components and those with unexpected features that require additional scrutiny, under the theory that a vulnerability in a component that is involved in cryptography, authentication, or deserialization would likely have higher impact than others.
Developers can run the Application Inspector through a command-line tool and have a choice of outputting content in either JSON or an interactive HTML report.
Image source: https://www.microsoft.com/security/blog/2020/01/16/introducing-microsoft-application-inspector/
Application Inspector supports many popular application frameworks and cloud services like Microsoft Azure, Amazon AWS and Google Cloud Platform. In addition, it can also identify cryptography implementations like symmetric, asymmetric, hashing and TLS.
Support also exists for operating system functions like identifying the platform, file system operations, registry and user accounts. Lastly, security features like authentication and authorization schemes can also be identified.