Facebook has recently released Pysa as open source after its success with Instagram security. The tool specifically aims at security teams facilitating bug fixes.
Facebook Open Source Pysa Tool
Facebook released its internally-developed Pysa security tool.
Based on the open-source code of Pyre project, Facebook designed Pysa as a static code analyzer. The tool specifically looks for security bugs, unlike most other analyzers.
Facebook decided to opensource the tool after witnessing its success in security Instagram. The tech giant’s internal team used the tool for identifying various bugs. Sharing the details of the tool in a post, Facebook stated,
Pysa helps us detect a wide range of issues. For example, we use it to check whether our Python code properly makes use of certain internal frameworks, which are designed to prevent access to, or disclosure of, user data based on technical privacy policies. Pysa also detects common web app security issues, like XSS and SQL injection. Like Zoncolan has done for Hack code, Pysa has helped us scale our application security efforts for Python, most notably the codebase that powers Instagram’s servers.
Regarding its working, Facebook revealed that it works similar to Zoncolan – another Facebook tool.
It tracks the flow of data through a program. Eventually, the tool assists in analyzing huge codebases with millions of lines of codes.
In brief, it builds summaries by repeatedly analyzing the functions and noting whether the return data comes from source (point of origin of important data) or the sink (points where source data should not end). In the latter case, the tool reports the issue.
Pysa Available On GitHub
Presently, the tool will work from the first run for projects based on Django and Tornado frameworks, because these are what Facebook uses itself.
Nonetheless, users can also modify the code a bit to make it work for other frameworks as well.
Let us know your thoughts in the comments.