Nipuna Weerasekara

Sri Lanka

I am a web developer turned security researcher. I have published and presented on the research areas of software vulnerability remediation, web application security and vulnerability remediation in open-source. Currently, I am a full-time researcher at SCoRe Lab. In a previous life, I contributed to the development of Sri Lanka’s very own Bug Bounty Platform Bug Zero. Now, I am over-seeing the development of the Bug Zero platform.

With my research, I have contributed to the development of an experimental platform Sequza to aid vulnerability remediation.

Apart from my work, I love tv, cinema, and indie music. In my leisure time, I contribute to open-source projects, write technical articles, and read and discuss philosophy. Also, occasionally I upload funny video clips to my YouTube channel.

Publications

ACM CCS
Demo: Large Scale Analysis on Vulnerability Remediation in Open-Source JavaScript Projects

Bandara, Vinuri, Rathnayake, Thisura, Weerasekara, Nipuna, Elvitigala, Charitha, Thilakarathna, Kenneth, Wijesekera, Primal, De Zoysa, Kasun, and Keppitiyagama, Chamath

In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, 2021

Abstract PDF BibTeX

Given the widespread prevalence of vulnerabilities, remediation is a critical phase that every software project has to go through. When comparing the studies on understanding the security vulnerabilities in software, such as vulnerability discovery and patterns, there is a lack of studies on the vulnerability remediation phase. To address this, we have done a timeline analysis for 130 of the most dependent upon open source projects written in JavaScript language, hosted on GitHub to understand the nature and the lifetime of the vulnerabilities in those projects. We used a static code analyzer on 501K commits from the repositories to identify commits that introduced new vulnerabilities to the code and fixed existing vulnerabilities in the code. In 90% of the projects, we identified that a commit that fixed an existing vulnerability had introduced one or more new vulnerabilities into the code. On average, 16% of the commits intended to fix vulnerabilities have introduced one or more new vulnerabilities from the analyzed projects. We also found that 18% of the total vulnerabilities found in those projects have originated from a commit meant to fix an existing vulnerability, and 78% of those vulnerabilities could have been avoided of introduction if the developers were to use proper internal testing. Here, we demonstrate Sequza, a visualization tool to help organizations detect such instances at the earliest possible.
@inproceedings{10.1145/3460120.3485357, author = {Bandara, Vinuri and Rathnayake, Thisura and Weerasekara, Nipuna and Elvitigala, Charitha and Thilakarathna, Kenneth and Wijesekera, Primal and De Zoysa, Kasun and Keppitiyagama, Chamath}, title = {Demo: Large Scale Analysis on Vulnerability Remediation in Open-Source JavaScript Projects}, year = {2021}, isbn = {9781450384544}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/3460120.3485357}, doi = {10.1145/3460120.3485357}, booktitle = {Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security}, pages = {2447–2449}, numpages = {3}, keywords = {security testing, vulnerability analysis, software security, vulnerability remediation}, location = {Virtual Event, Republic of Korea}, series = {CCS '21}, pdf = {https://dl.acm.org/doi/pdf/10.1145/3460120.3485357}, kind = {Posters}, selected = {true}, abbr = {ACM CCS}, bibtex_show = {true} }
SCAM
Fix that Fix Commit: A real-world remediation analysis of JavaScript projects

Bandara, Vinuri, Rathnayake, Thisura, Weerasekara, Nipuna, Elvitigala, Charitha, Thilakarathna, Kenneth, Wijesekera, Primal, and Keppitiyagama, Chamath

In 2020 IEEE 20th International Working Conference on Source Code Analysis and Manipulation (SCAM), 2020

Abstract PDF BibTeX

While there is a large body of work on understanding vulnerabilities in the wild, little has been done to understand the dynamics of the remediation phase of the development cycle. To this end, we have done a timeline analysis on 118K commits from 53 of the most used JavaScript projects from GitHub to understand the provenance and prevalence of vulnerabilities in those projects. We used a vulnerability detector (CodeQL) to filter commits that introduced vulnerabilities and the commits that fixed a prior vulnerability. We found that in 82% of the projects, a commit fixing a prior vulnerability, in turn, introduced one or more new vulnerabilities. Among those projects, on average, 18% of the commits intended to fix vulnerabilities, in turn, introduced one or more new vulnerabilities. We also found that 50% of the total vulnerabilities found in those projects originated from a commit meant to fix a prior vulnerability, and 78% of those vulnerabilities could have been avoided if they were to use proper internal testing. We provide critical insights into how proper internal testing can avoid a significant portion of vulnerabilities, increasing organizations' security posture.
@inproceedings{9252067, author = {Bandara, Vinuri and Rathnayake, Thisura and Weerasekara, Nipuna and Elvitigala, Charitha and Thilakarathna, Kenneth and Wijesekera, Primal and Keppitiyagama, Chamath}, booktitle = {2020 IEEE 20th International Working Conference on Source Code Analysis and Manipulation (SCAM)}, title = {Fix that Fix Commit: A real-world remediation analysis of JavaScript projects}, year = {2020}, volume = {}, number = {}, pages = {198-202}, doi = {10.1109/SCAM51674.2020.00027}, pdf = {https://conferences.computer.org/icsme/pdfs/SCAM2020-CdP3rS7mSlqVWzF3cXW7H/924800a187/924800a187.pdf}, kind = {Conferences}, selected = {true}, abbr = {SCAM}, bibtex_show = {true} }