Facebook has formally launched today one of Instagram's secret tools for finding and fixing bugs in the app's vast Python codebase.
Named Pysa, the tool is a so-called static analyzer. It works by scanning code in a "static" form, before the code is run/compiled, looking for known patterns that may indicate a bug, and then flagging potential issues with the developer.
Facebook says the tool was developed internally, and, through constant refinement, Pysa has now reached maturity. For example, Facebook said that in the first half of 2020, Pysa detected 44% of all security bugs in Instagram's server-side Python code.
Developed for security teams
Behind this success stands the work of the Facebook security team. Even though Pysa was based on the open-source code of the Pyre project, the tool has been built around the needs of a security team.
While most static analyzers look for a wide range of bugs, Pysa was specifically developed to look for security-related issues. More particularly, Pysa tracks "flows of data through a program."
How data flows through a program's code is very important. Most security exploits today take advantage of unfiltered or uncontrolled data flows.
For example, a remote code execution (RCE), one of today's worst types of bugs, when stripped down, is basically a user input that reaches unwanted portions of a codebase.
Under the hood, Pysa aims to bring some insight into how data travels across codebases, and especially large codebases made up of hundreds of thousands or millions of lines of code.
This concept isn't new and is something that Facebook has already perfected with Zoncolan