Pysa static analysis tool, developed to find security bugs in Instagram’s huge codebase, can now be used to help secure other developers’ Python code
Facebook has open sourced an automated tool for detecting security flaws in Python code, first created to help secure Instagram.
The company’s static code analysis tool is called Pysa, short for Python Static Analyzer – not to be confused with an unrelated strain of ransomware also called Pysa.
It is specifically designed for tracking down potential security flaws in massive Python code bases, such as that which powers Instagram.
The tool analyses code in a static form, before it has been compiled, looking in particular at how data flows through the system.
“Analysing data flows is useful because many security and privacy issues can be modelled as data flowing into a place it shouldn’t,” wrote Facebook security engineers Graham Bleaney and Sinan Cepel.
A remote code execution flaw, for instance, can be thought of as a user input that reaches an unauthorised part of a system’s code.
In the first half of 2020, Pysa detected 44 percent of all security flaws found in Instagram’s server-side Python code, Facebook said.
Pysa was based on the open source Pyre project, an automated tool designed to improve Python code quality, but was modified specifically to help find security flaws.
Facebook last year unveiled a similar tool, called Zoncolan, that it developed to find security bugs in Hack, a PHP-like language used for the Facebook application’s main codebase.
In both cases, the scanners look for potentially dangerous data patterns that could indicate flaws allowing cross-site scripting, remote code execution, SQL injections or user data exfiltration, then notifies the code’s developer of the issues.
“Like Zoncolan has done for Hack code, Pysa has helped us scale our application security efforts for Python, most notably the codebase that powers Instagram’s servers,” wrote Bleaney and Cepel.
The tool provides results in about an hour, rather than the weeks or months it would take to review the code manually, they said.
“These rapid results help us find and prevent an issue fast enough to keep it from being introduced into our codebase,” they wrote.
“The results go either directly to the developer or to security engineers, depending on the type of issue detected and the signal-to-noise ratio of our detections for that specific issue.”
Facebok said it made Pysa open source to allow developers to use it to check their own Python code.
“Because we use open source Python server frameworks such as Django and Tornado for our own products, Pysa can start finding security issues in projects using these frameworks from the first run,” Bleaney and Cepel wrote.
Using Pysa for frameworks not already supported can be as simple as adding a few lines of configuration to tell Pysa where data enters the server, they added.
Facebook has officially released Pysa’s source code on GitHub, as well as several bug definitions aimed at helping it track down security issues.
The company said it has worked with the Zulip server project to incorporate Pysa into its codebase.