Facebook made an another open source contribution by making one of their Instagram security tools public
Called as Pysa, the tool is a static analyzer which works by scanning code in a “static” form, before the code is run/compiled, looking for known patterns that may indicate a bug. This tool was developed for Instagram whose codebase mostly made up of Python and rrelevant frameworks.
“Facebook says the tool was developed internally, and, through constant refinement, Pysa has now reached maturity. For example, Facebook said that in the first half of 2020, Pysa detected 44% of all security bugs in Instagram’s server-side Python code.”
Pysa was developed from open source project pyre-check by Facebook Security Team as an internal security testing tool. As most static analyzers mainly look for a wide range of bugs, Facebook team specifically developed Pysa to look for security-related issues. More particularly, Pysa tracks “flows of data through a program.”
While Pysa was developed for Instagram code base which is of Python, Facebook has already perfected Zoncolan, a static analyzer that Facebook released in August 2019 for Hack, the PHP-like language variation that Facebook uses for the main Facebook app’s code base.
Pysa, was developed as extendable tool was created under a plug-and-play model, where the tool can be extended to adapt to new frameworks on the go.
“Because we use open source Python server frameworks such as Django and Tornado for our own products, Pysa can start finding security issues in projects using these frameworks from the first run,” Bleaney said. “Using Pysa for frameworks we don’t already have coverage for is generally as simple as adding a few lines of configuration to tell Pysa where data enters the server.”
Facebook has open-sourced Pysa on GitHub