Facebook open-sources Pysa static analysis tool to detect and prevent security issues in Python code
If your are a programmer and use Python for coding, this news will help you a lot. Social networking giant, Facebook has open-sourced Pysa tool that can scan through humongous lines of Python code and detect and fix bugs. Facebook used Pysa as an internal tool for bug detection in its image-sharing App, Instagram
Announcing the open-sourcing of the Pysa tool, Facebook Engineering they used the tool to automatically identify vulnerable code snippets written by Facebook engineers before they are integrated into Instagram. Pysa is a static analyzer tool meaning it works by scanning code in a “static” form before the code is compiled. The tool works by hunting for common patterns that are usually observed in bugs. Once it finds an error in the Python code, it flags the snippet for correction.
Pysa tool only works with Python code. However, open-sourcing will help many developers and sysadmins because Python is the world’s second most widely used programming language as of May 2020. Facebook has applied Pysa to the Instagram code base to great effect. According to the company, the tool was responsible for spotting 44% of the server-side security issues in the first half of 2020. Some 49 of the flaws flagged by Pysa tool were determined to be “severe” vulnerabilities.
How does Pysa detect security issues in Python code?
As said above, Pysa tool employs static code analysis. It sifts through the raw Python code files to quickly generate security assessments. Pysa tool detects security issues by tracking the data flow through an application. If it finds any code that is out of place, it immediately flags that particular snippet.
Programmers can use Pysa to sift through a raw code base for errors. For example, a user uses the website’s contact me to push through a malicious code to the server, Pysa tool will flag it before it even enters the database. While the contact form malware issue may seem petty, Pysa can sift through humongous Python codes with ease. Pysa overcomes this challenge by analyzing code layer by layer. “Pysa performs iterative rounds of analysis to build summaries to determine which functions return data from a source and which functions have parameters that eventually reach a sink,” Facebook engineers Graham Bleaney and Sinan Cepel explained in a blog post.
Facebook has released the open-source version of the tool here. You can use it to find vulnerabilities like cross-site scripting, remote code executions, SQL injections, etc.