Facebook has formally open-sourced one of its secret security tools for Instagram that finds and fixes bugs. The tool called Pysa is now available on open-source repository GitHub. Pysa is a security-focused tool built on top of Facebook's type checker for Python called Pyre. It's used to look at code and analyse how data flows through it. "We've made Pysa open source, together with many of the definitions required to help it find security issues, so that others can use the tool for their own Python code," Facebook said in a statement on Friday.
"Analysing data flow is useful because many security and privacy issues can be modeled as data flowing into a place it shouldn't". According to the company, Pysa detected 44 per cent of all security bugs in Instagram's server-side Python code in the first half of this year. Facebook has also built Zoncolan, a static analysis tool that helps us analyze more than 100 million lines of Hack code and has helped engineers prevent thousands of potential security issues. "That success inspired us to develop Pysa, which is an acronym for Python Static Analyser," said Facebook.
The largest repository of Python code is the millions of lines that power Instagram's servers. "Automated analyzers like Pysa are an important tool for maintaining quality and security in this codebase," said Facebook. When Pysa is run on a developer's proposed code change, the tool provides results in about an hour rather than the weeks or months it could take to review manually. The results go either directly to the developer or to security engineers, depending on the type of issue detected.