Using Pysa for frameworks we dont already have coverage for is generally as simple as adding a few lines of configuration to tell Pysa where data enters the server.Its the only way to maintain unique, hard-to-guess credentials for every secure site you and your team access daily.
Facebook Security Code Code In AIt works by scanning code in a static form, before the code is runcompiled, looking for known patterns that may indicate a bug, and then flagging potential issues with the developer. Facebook says the tool was developed internally, and, through constant refinement, Pysa has now reached maturity. For example, Facebook said that in the first half of 2020, Pysa detected 44 of all security bugs in Instagrams server-side Python code. Developed for security teams Behind this success stands the work of the Facebook security team. Even though Pysa was based on the open-source code of the Pyre project, the tool has been built around the needs of a security team. While most static analyzers look for a wide range of bugs, Pysa was specifically developed to look for security-related issues. More particularly, Pysa tracks flows of data through a program. Most security exploits today take advantage of unfiltered or uncontrolled data flows. For example, a remote code execution (RCE), one of todays worst types of bugs, when stripped down, is basically a user input that reaches unwanted portions of a codebase. This concept isnt new and is something that Facebook has already perfected with Zoncolan, a static analyzer that Facebook released in August 2019 for Hack -- the PHP-like language variation that Facebook uses for the main Facebook apps codebase. Both Pysa and Zoncolan look for sources (where data enters a codebase) and sinks (where data ends up). Both tools track how data moves across a codebase, and find dangerous sinks, such as functions that can execute code or retrieve sensitive user data. When a connection is found between a source and a dangerous sink, Pysa (and Zoncolan) warn developers to investigate. Built for speed and large codebases But as Facebook security engineer Graham Bleaney told ZDNet in a phone call this week, Pysas ability to find security issues wouldnt be that useful if it took days to scan Instagrams entire codebase. As such, Pysa was also built for speed, being capable of going over millions of lines of code from anywhere between 30 minutes and hours. This allows Pysa to find bugs in near real-time and lets developers teams feel safe about integrating the tool in their regular workflows and routines without having to fear that using it might delay shipping their code or not hitting hard deadlines. ![]() Extendable But Pysa also has another ace down its sleeve, and thats extendability. Instagram, which mostly runs on Python code, was never developed as a cohesive unit from the get-go. Just like most major platforms, its code was stitched together and improved as the company grew. Currently, its codebase includes lots of different Python frameworks and Python libraries, all running different Instagram components and features. For Pysa, this also means the tool was created under a plug-and-play model, where the tool can be extended to adapt to new frameworks on the fly. Because we use open source Python server frameworks such as Django and Tornado for our own products, Pysa can start finding security issues in projects using these frameworks from the first run, Bleaney said.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |