Facebook makes its Pysa tool for automatic discovery of vulnerable code in Python open-source. The tool uses static code analysis for this purpose.
With Pysa, software developers can check their Python code for potential vulnerabilities. This prevents these vulnerabilities from ending up in production environments and eventually causing problems.
The tool, based on static code analysis, searches for possible security problems by following the raw data as it moves through an application. In addition, the tool monitors to see if this data does not end up where it is not supposed to. For example, data entered by users of a website on their way to a database in the back-end environment. This data is scanned so that hackers are unable to enter malicious code this way, especially when incoming data moves through multiple systems and environments.
Pysa is especially useful when scanning large and complex workloads, such as in business environments. The tool scans the code layer by layer and provides overviews to determine which functionality returns data to the source and which functions have the right parameters to reach an end environment somewhere.
According to Facebook, the tool also yields few false positives. This prevents developers from endlessly trying to solve everything and thereby missing out on the critical vulnerabilities.
The social media giant is more than satisfied with how Pysa works. According to Facebook, the tool was able to discover 330 security vulnerabilities in Instagram in the first six months of 2020. Only 150 reports proved to be a false positive.
The tool only focuses on Python code, which of course limits its usability. But because Python is used a lot for AI solutions, the tool suits that market segment very well. The Pysa tool is now available via GitHub.