Microsoft gives developers a closer inspection
Microsoft released an open source version of its Application Inspector, a cross-platform tool that engineers can use to understand potential security issues when integrating third-party software in their codebase.
Automated scanning: Developers can run their applications through Microsoft’s Application Inspector, which analyzes the source code and identifies key features of their software.
Developers can "surfac[e] features of interest and other characteristics to answer the question 'what's in it' using static analysis." That makes it ideal for scanning components before integrating them into a codebase or detecting feature level changes.
The Application Inspector then generates a report that identifies "application frameworks, cloud interfaces, cryptography, sensitive data like access keys, personally identifiable information, operating system functions, and security features."
Once a developer understands these features of their code, they can better understand how open source software impacts their products’ functionality and security.
A new angle on the growing security problem: Most applications today include thousands of lines of code written by thousands of other developers. As a result, many tech companies are working to implement automated and more rigorous security guardrails.
Application Inspector follows this trend, but approaches the problem from a slightly different angle. It works as a code profiler, searching for key characteristics in a codebase and empowering developers to decide if its functionality is scoped appropriately.
That makes the Application Inspector more high-level than simple package vulnerability management or safe code analysis—arming developers with richer automatic tooling for their growing security responsibilities.
Want to get more of these in your inbox?
Subscribe for weekly updates from the Software team.