It’s an abbreviation of Python Static Analyser.
Pysa is a security-focused tool built on top of our type checker for Python, Pyre. It’s used to look at code and analyze how data flows through it. Analyzing data flows is useful because many security and privacy issues can be modeled as data flowing into a place it shouldn’t. It breaks down the data stream and makes it easy for developers to see the issues and understand their criticality.
As we all know, python is one of the most famous and popular programming language in the coders’ world. It’s easy to learn and with lots of community support. Literally, anybody can start programming in python. Because of this robustness, user-friendly feature python is also used by big companies like Facebook.
Pysa is built on top of Pyre. Pyre is a code checker tool for python 3. It follows Follows the typing standards introduced in PEPs 484, 526, 612, and is being actively developed and constantly improved. Facebook developed pyre to analyze the data flow in code.
Pysa helps to detect a wide range of issues.
- It helps to find common web app vulnerabilities like Cross-Site Scripting(XSS), SQL injection, etc.
- It helps to keep an eye on internal frameworks which are work with user data and policies. It’s making sure that the outer function will be able to gain any kinda insecure access to these crucial pieces of data.
How PYSA works:
In order to understand PYSA working we need to understand two basic terms :
- Source: It’s the place of origin of essential data. It’s like the starting point from where everything begins.
- Sink: As the word is self-explanatory, It’s that place where the code which was generated from the source should not fall. If this is happening that means it’s a red flag.
Both the source and sing are defined by the dev testers. Once this is done then PYSA comes into the picture. Pysa analyse the information coming out from source and see how close can they can go to sink. And all this happens in a repetitive way like a loop until all sources are covered.
GEnerally for any kind of security apps, the sources used to be openings from where user-controlled data enters into the application like an open gate for data to flow in smoothly such as Django’s HttpRequest.GET dictionary. On the other hand, sink varies but in general, it includes API’s that run functions such as eval or methods which have access to file system such as os.open.
It reports an issue when it sees that a source eventually connects to a sink.
Pictorial Represenation Of PYSA Working
How To Deal With False Positives And Negatives
- False positives happen when a tool reports that there is a security issue but in reality, there is not an issue. Tools misjudge any condition as a security issue
- False negatives are vice versa of false positive. This occurs when a tool fails to find the issue which comes out as a security hole.
Either case determines the capability of the system. Big in number means less quality which can lead to real-time problems.
In order to avoid false positives and false negatives, PYSA has Sanitizers and Features
- Sanitizers :
While analyzing sanitizers job is to instruct PYSA to stop following the flow of data after it has gone through a method or attribute. It allows users to encode data specific to the domain regarding transformation which will render data benign from a security point of view.
Features are a collection of chunks of metadata that PYSA can inject into data flow and track them. It’s like hiding a James Bond Movie scene where James Bond put a tracker to trace the enemy.
In order to know more please visit https://engineering.fb.com/2020/08/07/security/pysa/