Security Engineering Manager @meta, leading a team scaling the detection and prevention of web vulnerabilities
Joined March 2011
- Tweets 61
- Following 110
- Followers 269
- Likes 226
Photos and videos
Pinned Tweet
21 Mar 2022
It's official: PEP 675 has been accepted! Once you've got Python 3.11 and a type checker that supports it (Pyre already does 🙂), try using LiteralString to make your Python code safer by preventing SQLi and all other kinds of injection attacks:
peps.python.org/pep-0675/
1
2
9
20 Sep 2023
My team is hiring for a unique role, taking the static analysis tools we've developed for security use cases and applying them to solve some of our most pressing privacy needs:
metacareers.com/jobs/1448172…
DMs are open if you want to learn more!
3
10
2,416
5 Oct 2021
I'll be presenting "Teaching an old dog new tricks: Reusing security tools in novel domains" at #Enigma2022 in Santa Clara, February 1–3, 2022. It provides case studies of how security tools like Pysa have been used in non-security applications at Facebook bit.ly/enigma2022
1
1
7
21 Mar 2022
It's official: PEP 675 has been accepted! Once you've got Python 3.11 and a type checker that supports it (Pyre already does 🙂), try using LiteralString to make your Python code safer by preventing SQLi and all other kinds of injection attacks:
peps.python.org/pep-0675/
1
2
9
21 Mar 2022
If you're curious about how it works, my co author and I will be presenting about LiteralString (and other uses of typing for security) at this year's PyCon:
us.pycon.org/2022/schedule/p…
28 Jan 2022
Late to the game on this one but I really loved Ryan Pickren's latest writeup on UXSS on Safari. I think he undersells the work involved to get there, but does an excellent job highlighting how far you can get by looking at old protocols, file types, etc: ryanpickren.com/safari-uxss
2 Dec 2021
We have a draft PEP up for adding a new Literal[str] type to #Python3:
python.org/dev/peps/pep-0675…
When used correctly, this type can prevent all kinds of injection vulnerabilities. We've been experimenting with this at Meta for a while, and are excited to share with the world.
1
2
2 Dec 2021
But queries safely built from only string literals will be allowed:
user_id: str
query = f"SELECT * FROM data WHERE user_id = ?"
if limit:
query = " LIMIT 1"
conn.execute(query, user_id) # Type Error!
1
2 Dec 2021
This functionality is already supported in Pyre if you want to try it:
pyre-check.org/
Feedback on the PEP would be greatly appreciated!
Graham Bleaney retweeted
10 Jun 2021
We are looking for an experienced application security engineer to help build a world where everyone, everywhere has secure access to the world’s financial system. We have the vibe of a FinTech startup with the perks of a big company. Apply here:
facebook.com/careers/v2/jobs…
6
10
6 Apr 2021
For those attending @pycon (it's too late to sign up!), check out the out the talk @the_st0rm and I are giving on the myriad of APIs that can enable remote code execution in Python: us.pycon.org/2021/schedule/p…
These examples were originally compiled as a part of our work on Pysa.
1
7
16
13 May 2021
To go with the #PyConUS2021 talk, we've also got a demo repo with examples of functions that enable code execution in python: github.com/gbleaney/python_s…. There's a UI to test exploits against and a machine-readable dump of sinks to feed to your static analyzers (including Pysa 😀 )
1
2
7
7 Jun 2021
Our #PyCon 2021 talk "Unexpected Execution: Wild Ways Code Execution can Occur in Python" is now on YouTube:
youtube.com/watch?v=R1KrPc1I…
I guarantee there will be at least one RCE vector in there that you weren't aware of. It also comes with demos:
github.com/gbleaney/python_s…
5
17
Graham Bleaney retweeted
7 Jun 2021
The second round of our RFP is now published, with proposals being accepted until July 14!
"Towards Trustworthy Products in AR, VR, Smart Devices".
research.fb.com/programs/res…
10
18
Graham Bleaney retweeted
21 Apr 2021
🤔 Explain Like I’m 5 🤔
In just over a minute, Jessica (@hey_its_jlin) gives an overview of #Pysa, an #OpenSource Python static analysis tool used to detect and prevent security issues in #Python code.
Check it out here: youtu.be/LDxAczqkBiY
1
17
50
wired.com/story/facebook-mes…
A decade of facebook bug bounty. 130,000 reports, 6,900 valid, 11.7million paid out.
An incredible team of folks lead this program now - it started in a basement and with us taking weekly trips to western union to send money orders to fulfill bounties.
7
42
6 Sep 2020
Found this fun tidbit when looking into Python's standard library. What do you think happens when you run it? Hint: it's exactly what you think shouldn't happen.
from typing import get_type_hints
class C:
member: "print('test')" = None
get_type_hints(C)
3
Sometimes we find bugs in code that isn't ours, now (following the p0 playbook) we have a pathway to disclose them zdnet.com/article/facebook-e…
1
6
40