-
Notifications
You must be signed in to change notification settings - Fork 357
Home
The project is well underway with basic functionality and was presented at SecTor 2019 but is undergoing additional improvements to UI and rules in some cases to achieve the highest accuracy and to increase breadth.
The tools primary value is to help validate purported source code component objectives against hundreds of feature identifying patterns as well as detecting feature changes between versions, including key security and privacy features.
A well constructed and hidden backdoor can go undetected by a tool that is only looking for poor security programming practices because it doesn’t look at context at a feature level. Knowing what is in your software is the first step to making choices about what actions are appropriate before allowing it to be deployed in your own or customer environments. Unlike a typical source code static analyzer,
Modern applications rely heavily on software written outside of your company which comes with risks. Application Inspector can help you identify interesting characteristics of an application by examining source code. While other tools play an important role in automating detection of vulnerabilities, Application Inspector helps to answer the question what is in it? Application Inspector is judgement free, focusing instead on helping inform security and other scenarios by surfacing details that might otherwise go unnoticed.
- Characterizing key features of source code
- Detecting sudden feature changes between component versions
- Mapping detected features to security requirements
- True/false testing if specific features are present or not
- Dynamic Code Execution
- Process Management
- Encryption
- Hashing
- Secrets
- Randomization
- File System
- Environment Variables
- Network Operations
- User Accounts
- JSON/XML
- Object Serialization
- Secrets / Access Keys
- Sensitive Data
- SQL / ORM
- Development
- Testing
- Dependencies
- Cloud Services
- DevOps Engineers - View source code characteristics at a feature level to determine if a component contains only what is expected. Use to compare and find alternates to identify sudden and unexpected feature changes of significance.
- IT Security Auditors - Evaluate risk presented when third-party software is included in solution source.
The application is a client .NET tool that does not require elevated privileges. To run, simply use the standard dotnet command line to invoke i.e. dotnet ApplicationInspector.dll or if you are on Windows ApplicationInspector.exe. See readme or more. Application has built-in help. There is no local database or network post from the application. HTML report option may reference online stylesheet libraries.
- Download a component in compressed or uncompressed formats
- Run ApplicationInspector pointing at the component source code and use the target command and report format options.
There are two primary ways to customize the content of the report results:
- Customize Rules (feature pattern to scan for e.g. regex, language)
- Customize Report (filter what features to display in the report output)
You may add/edit/remove default rules or patterns as needed. You can also add your own rules in a separate path to the default set and retain the default set or exclude them using command line options. See help for more and this wiki for how to on rules schema
Application Inspector builds the HTML profile report section and json output dynamically around indicated preferred tags. You may add/edit/remove feature groups by modifying the preferences\tagreportgroups.json file. Simply update the patterns and icons indicated to adjust the report content to filter the results.