Facebook Open Sources Python Code Check Tool

Facebook has open sourced an automated tool for detecting security flaws in Python code, first created to help secure Instagram.

The company’s static code analysis tool is called Pysa, short for Python Static Analyzer – not to be confused with an unrelated strain of ransomware also called Pysa.

It is specifically designed for tracking down potential security flaws in massive Python code bases, such as that which powers Instagram.

The tool analyses code in a static form, before it has been compiled, looking in particular at how data flows through the system.

Image credit: Facebook

Security flaws

“Analysing data flows is useful because many security and privacy issues can be modelled as data flowing into a place it shouldn’t,” wrote Facebook security engineers Graham Bleaney and Sinan Cepel.

A remote code execution flaw, for instance, can be thought of as a user input that reaches an unauthorised part of a system’s code.

In the first half of 2020, Pysa detected 44 percent of all security flaws found in Instagram’s server-side Python code, Facebook said.

Pysa was based on the open source Pyre project, an automated tool designed to improve Python code quality, but was modified specifically to help find security flaws.

Facebook last year unveiled a similar tool, called Zoncolan, that it developed to find security bugs in Hack, a PHP-like language used for the Facebook application’s main codebase.

In both cases, the scanners look for potentially dangerous data patterns that could indicate flaws allowing cross-site scripting, remote code execution, SQL injections or user data exfiltration, then notifies the code’s developer of the issues.

Real-time checking

“Like Zoncolan has done for Hack code, Pysa has helped us scale our application security efforts for Python, most notably the codebase that powers Instagram’s servers,” wrote Bleaney and Cepel.

The tool provides results in about an hour, rather than the weeks or months it would take to review the code manually, they said.

“These rapid results help us find and prevent an issue fast enough to keep it from being introduced into our codebase,” they wrote.

“The results go either directly to the developer or to security engineers, depending on the type of issue detected and the signal-to-noise ratio of our detections for that specific issue.”

Facebok said it made Pysa open source to allow developers to use it to check their own Python code.

Open source

“Because we use open source Python server frameworks such as Django and Tornado for our own products, Pysa can start finding security issues in projects using these frameworks from the first run,” Bleaney and Cepel wrote.

Using Pysa for frameworks not already supported can be as simple as adding a few lines of configuration to tell Pysa where data enters the server, they added.

Facebook has officially released Pysa’s source code on GitHub, as well as several bug definitions aimed at helping it track down security issues.

The company said it has worked with the Zulip server project to incorporate Pysa into its codebase.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago