Facebook announced the availability of Pysa (Python Static Analyzer), an open source tool designed to analyze Python code in a static way.
The security-focused tool is based on Pyre, the Python type checker for Facebook, and allows the analysis of how data flows through code. It can be used to identify issues related to user data protection, as well as flaws like XSS and SQL injection.
Facebook has released many of the definitions it leverages when searching for security bugs in addition to making Pysa available in open source, making it readily available for others to start analyzing their own Python code.
The tool also leverages open source Python Server frameworks, including Django and Tornado, making it usable right from the start for code analysis. In addition, the use of Pysa for additional frameworks requires just a few lines of code, Facebook says.
Pysa allows users to define sources of origin for important data and places that don’t need to reach that data, which are called sinks. The tool then identifies functions that return data from a source and those that reach a sink, and reports the problem if it discovers a connection between a source and a sink.
The tool was designed to avoid false negatives, thus allegedly identifying as many security problems as possible. This, however, leads to more false positives, and Facebook engineers added sanitizers and features into the tool to remove these as well.
The social media platform admits that Pysa has its limitations “based on its choice of addressing data flow security issues, along with design decisions that trade off performance for accuracy and precision.”
In addition, Pysa was designed solely for discovering security issues related to data flow, meaning it will not identify security or privacy issues that cannot be modeled as data flows.
“Pysa helps security engineers both detect existing problems within a code base and prevent the introduction of new ones through proposed code changes. Pysa detected 44 per cent of the issues our engineers found in the Instagram server codebase in the first half of 2020, “reveals the social platform.
Although nearly half of the results returned in the timeline were false positives, Facebook was able to tune up Pysa, saying that it eventually returned “100 percent valid problems.”
“In general, we ‘re happy with the trade-offs that we made with Pysa to help scale security engineers, but there’s always room for improvement. Thanks to close collaboration between security engineers and software engineers we built Pysa for continuous improvement, “notes Facebook.
