In this digital era, the security issues of applications is a significant concern. A tool to detect security issues in a python-based application is the latest development by Facebook. The open-source tool Pysa (Python Static Analyzer) looks at how data flows through the code. Breaking down information streams is valuable because numerous security and protection issues can be displayed as information streaming into a spot it shouldn’t.
Working of Pysa
- The user defines sources(the places where essential data originates) and sink(the place where the code generated at source should not flow)
- Pysa performs iterative rounds of examination to construct synopses to figure out which functions return information from a source and functions which have boundaries that arrive at a sink in the long run. Pysa reports an issue when it sees that a source eventually connects to a sink.
It is used by Facebook internally on Instagram. Utilized to check the engineer’s proposed code change for security and protection issues and forestall them being presented in the codebase, just as to distinguish the existing problems in a codebase.
Limitations of Pysa:
- False positives and false negatives
- False-positive: It occurs when the tool reports a fake issue
- False-negative: It happens when the tool does not indicate a problem present in the application.
Pysa is developed to avoid false-negative and find as many issues as possible. This method may cause a trade-off with the false positive.
To avoid this, Pysa uses two features: Sanitizers and Features.
- Pysa can detect data-flow related issues and not all security and privacy-related issues.