Facebook open-sources a static analyzer for Python code

2020-08-10 12:16

Need a tool to check your Python-based applications for security issues? Facebook has open-sourced Pysa, a tool that looks at how data flows through the code and helps developers prevent data flowing into places it shouldn't.

"Pysa tracks flows of data through a program. The user defines sources as well as sinks," Facebook security engineer Graham Bleaney and software engineer Sinan Cepel explained.

It's used to check developer's proposed code change for security and privacy issues and to prevent them being introduced in the codebase, as well as to detect existing issues in a codebase.

"Because we use open source Python server frameworks such as Django and Tornado for our own products, Pysa can start finding security issues in projects using these frameworks from the first run. Using Pysa for frameworks we don't already have coverage for is generally as simple as adding a few lines of configuration to tell Pysa where data enters the server," the two engineers added.

"Because of the importance of catching security issues, we built Pysa to avoid false negatives and catch as many issues as possible. Reducing false negatives may require trade-offs that increase false positives. Too many false positives could in turn cause alert fatigue and risk real issues being missed in the noise," the engineers explained.

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/uFQQvymG5XI/

#facebook #opensource #python

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Python		24	2	52	74	31	159
Facebook		29	0	11	46	54	111

News URL

Related news

Related vendor