Facebook Inc. today launched Pysa, an open-source tool it has developed to catch vulnerable code snippets written by engineers before they make it into production. 

Pysa is designed exclusively to analyze code written in Python. That limits the scenarios where the tool can be applied, but it could be still useful for other companies because Python is the world’s second most widely used programming language as of earlier this year. It’s especially popular in artificial intelligence development and is also the language in which most of the code for Instagram is written.

Facebook has applied Pysa to the Instagram code base to great effect. According to the company, the tool was responsible for spotting 44% of the server-side security issues that it detected in the photo sharing service during the first half of 2020. Some 49 of the flaws Pysa caught were determined to be “severe” vulnerabilities.

Under the hood, the tool works by employing a technique known as static code analysis. It sifts through Facebook developers’ raw code files without the delay of running them to quickly generate security assessments.

Pysa looks for security issues by following data as it flows through an application and checking if it ends up somewhere it’s not supposed to. For example, the tool can determine if input that users enter into a public website form is sent directly to a backend database without being scanned first. This allows Pysa to identify potential avenues through which hackers could inject malicious code into a company’s systems.

The task is easier said than done because data doesn’t always follow a direct route inside an application. The input entered into a website form might pass through multiple components before it reaches the vulnerable backend database, which can make finding security weak points highly difficult. That’s especially true in complex enterprise workloads with a large number of components. 

Pysa overcomes this challenge by analyzing code layer by layer. “Pysa performs iterative rounds of analysis to build summaries to determine which functions return data from a source and which functions have parameters that eventually reach a sink,” Facebook engineers Graham Bleaney and Sinan Cepel explained in a blog post.

Pysa manages the task while generating relatively few small positives, which reduces the risk of security engineers becoming overburdened and missing real vulnerabilities. The tool found a total of 330 security flaws in Instagram during the first half of 2020 and produced 150 false positives.

Facebook said that Pysa lends itself to finding a range of common vulnerability types, as well as more subtle compliance issues. If a company has, say, a policy requiring code components to pass personal user data through a privacy filter before storing it in a database, Pysa can be configured to detect code that doesn’t meet this requirement. 

Photo: Unsplash