Facebook open sources its internal security tool

Facebook has open-sourced its internal tool used to detect security issues on Instagram. The Pysa Project is used as a static code analyser. Facebook plans to use the tool for checking security bugs.

The internally developed tool was designed as a static code analyser. Pysa looks for security bugs unlike most other analysers. Facebook has decided to open-source the tool after it witnessed success in Instagram security.

The social media giant’s internal team used the tool for identifying various bugs. Facebook claims that the tool was responsible for helping Facebook identify 44% of the server-side security issues. The company detected those issues in Instagram in first half of 2020. Over 49% of flaws in Instagram were flagged by Pysa as ‘severe’ vulnerabilities.

In an official statement, Facebook said, “Pysa helps us detect a wide range of issues. For example, we use it to check whether our Python code properly makes use of certain internal frameworks, which are designed to prevent access to, or disclosure of, user data based on technical privacy policies. Pysa also detects common web app security issues, like XSS and SQL injection. Like Zoncolan has done for Hack code, Pysa has helped us scale our application security efforts for Python, most notably the codebase that powers Instagram’s servers.”

Pysa has helped Facebook reduce the risk of security engineers becoming overburdened. It has found a total of 330 security flaws. The company said that Pysa lends itself to find a range of common vulnerabilities and more subtle compliance issues.

The tool is now available on GitHub for all. Facebook has shared many examples of how the tool works with any Python code. Users can modify the code to make it work for any framework of their choice.