Software behavior – an overlooked risk
Leaders invest in software development to achieve business goals faster. With constant pressure around pushing new features and speed to market, it is difficult for IT organizations to keep tabs on the capabilities and behaviors of the portfolio of software they build. While typical application security testing like static application security testing (SAST) and software composition analysis (SCA) are used to help spot known vulnerabilities and anti-patterns, a necessary part of reducing risk for a business requires a solid knowledge of your applications’ features and capabilities.
Targeting the things that matter
The goal of application security teams is to protect the business from relevant threats so developers’ primary focus can remain on new features that deliver innovation and growth. For any given organization those threats may look and feel a bit different.
For example, some companies’ software portfolios may rely heavily on sending and receiving data from external sites, where pre-built patterns around secure input and output handling would increase developer efficiency. Others may have a large prevalence of source code and third-party dependencies related to cryptography, where evangelizing the right hashing algorithms and encryption protocols used across the portfolio reduces significant risk.
But without knowing what’s happening in an application’s code base, reducing risk and optimizing one’s portfolio for the right business outcomes becomes harder because threat prevention, developer education efforts such as security champions programs, and software portfolio strategy become a guessing game.
Reducing business risk with Application Inspector
Microsoft’s Application Inspector is an open-source tool that identifies a long list of “interesting” features in source code, such as...
- What types of interactions the software has with the underlying operating system
- Whether the application has any integration with popular social media sites
- Whether the application may collect personal user data, triggering the need for privacy controls
Such information can be used to understand which risks pose the greatest threat to the software your organization develops.
KPMG has identified a few moments where Application Inspector can help answer difficult questions:
| Number | Moment | Application Inspector can answer questions like... | Useful for... |
| 1 | When you need to understand a single application | What are the main things this application does? | Knowing what controls I may need around my application (goes well with an SBOM) |
| 2 | When you need to understand a portfolio of applications | What is it that my portfolio of applications does, and how is that changing over time? | Planning technology investments and security pattern creation |
| 3 | When there has been a cyber security breach | Has something changed in the functionality of a particular application since the attacker had access to my source code repositories? | Protecting users from a malicious actor as part of incident response |
| 4 | When you need to understand what capabilities malware has and you have the source code | What does this malware do? | Knowing what remediation is needed or preventative controls I may need in the future |
Application Inspector is free to use, can be automated in build pipelines for DevSecOps teams, and updated regularly with new features. Adding Application Inspector to a software management toolset, in combination with traditional application security capabilities like SAST and SCA, may help to more quickly and accurately protect the organization from relevant threats, identify opportunities for feature rationalization across the portfolio, and devote more time to the frequent production of high-quality software.
Microsoft and KPMG are alliance partners and frequently work together to solve the hardest business problems facing large organizations.
This blog article is not intended to address or provide advice concerning the specific circumstances of any particular individual or entity and does not constitute an endorsement of any entity or its products or services.
The KPMG name and logo are trademarks used under license by the independent member firms of the KPMG global organization.
