Nipuna Weerasekara

Sri Lanka

I am a web developer turned security researcher. I have published and presented on the research areas of software vulnerability remediation, web application security and vulnerability remediation in open-source. Currently, I am a full-time researcher at SCoRe Lab. In a previous life, I contributed to the development of Sri Lanka’s very own Bug Bounty Platform Bug Zero. Now, I am over-seeing the development of the Bug Zero platform.

With my research, I have contributed to the development of an experimental platform Sequza to aid vulnerability remediation.

Apart from my work, I love tv, cinema, and indie music. In my leisure time, I contribute to open-source projects, write technical articles, and read and discuss philosophy. Also, occasionally I upload funny video clips to my YouTube channel.

Publications

CMOT
Vaccination trials on hold: malicious and low credibility content on Twitter during the AstraZeneca COVID-19 vaccine development

Horawalavithana, Sameera, De Silva, Ravindu, Weerasekara, Nipuna, Kin Wai, NG, Nabeel, Mohamed, Abayaratna, Buddhini, Elvitigala, Charitha, Wijesekera, Primal, and Iamnitchi, Adriana

In Computational and Mathematical Organization Theory, 2022

Abstract PDF BibTeX

The development of COVID-19 vaccines during the global pandemic that started in 2020 was marked by uncertainty and misinformation reflected also on social media. This paper provides a quantitative evaluation of the Uniform Resource Locators (URLs) shared on Twitter around the clinical trials of the AstraZeneca vaccine and their temporary interruption in September 2020. We analyzed URLs cited in Twitter messages before and after the temporary interruption of the vaccine development on September 9, 2020 to investigate the presence of low credibility and malicious information. We show that the halt of the AstraZeneca clinical trials prompted tweets that cast doubt, fear and vaccine opposition. We discovered a strong presence of URLs from low credibility or malicious websites, as classified by independent fact-checking organizations or identified by web hosting infrastructure features. Moreover, we identified what appears to be coordinated operations to artificially promote some of these URLs hosted on malicious websites.
@article{horawalavithana2022vaccination, title = {Vaccination trials on hold: malicious and low credibility content on Twitter during the AstraZeneca COVID-19 vaccine development}, author = {Horawalavithana, Sameera and De Silva, Ravindu and Weerasekara, Nipuna and Kin Wai, NG and Nabeel, Mohamed and Abayaratna, Buddhini and Elvitigala, Charitha and Wijesekera, Primal and Iamnitchi, Adriana}, journal = {Computational and Mathematical Organization Theory}, pages = {1--22}, year = {2022}, publisher = {Springer}, url = {https://doi.org/10.1007/s10588-022-09370-3}, doi = {10.1007/s10588-022-09370-3}, pdf = {https://rdcu.be/c0Bxn}, kind = {Journals}, selected = {true}, abbr = {CMOT}, bibtex_show = {true} }
ACM CCS
Demo: Large Scale Analysis on Vulnerability Remediation in Open-Source JavaScript Projects

Bandara, Vinuri, Rathnayake, Thisura, Weerasekara, Nipuna, Elvitigala, Charitha, Thilakarathna, Kenneth, Wijesekera, Primal, De Zoysa, Kasun, and Keppitiyagama, Chamath

In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, 2021

Abstract PDF BibTeX

Given the widespread prevalence of vulnerabilities, remediation is a critical phase that every software project has to go through. When comparing the studies on understanding the security vulnerabilities in software, such as vulnerability discovery and patterns, there is a lack of studies on the vulnerability remediation phase. To address this, we have done a timeline analysis for 130 of the most dependent upon open source projects written in JavaScript language, hosted on GitHub to understand the nature and the lifetime of the vulnerabilities in those projects. We used a static code analyzer on 501K commits from the repositories to identify commits that introduced new vulnerabilities to the code and fixed existing vulnerabilities in the code. In 90% of the projects, we identified that a commit that fixed an existing vulnerability had introduced one or more new vulnerabilities into the code. On average, 16% of the commits intended to fix vulnerabilities have introduced one or more new vulnerabilities from the analyzed projects. We also found that 18% of the total vulnerabilities found in those projects have originated from a commit meant to fix an existing vulnerability, and 78% of those vulnerabilities could have been avoided of introduction if the developers were to use proper internal testing. Here, we demonstrate Sequza, a visualization tool to help organizations detect such instances at the earliest possible.
@inproceedings{10.1145/3460120.3485357, author = {Bandara, Vinuri and Rathnayake, Thisura and Weerasekara, Nipuna and Elvitigala, Charitha and Thilakarathna, Kenneth and Wijesekera, Primal and De Zoysa, Kasun and Keppitiyagama, Chamath}, title = {Demo: Large Scale Analysis on Vulnerability Remediation in Open-Source JavaScript Projects}, year = {2021}, isbn = {9781450384544}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/3460120.3485357}, doi = {10.1145/3460120.3485357}, booktitle = {Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security}, pages = {2447–2449}, numpages = {3}, keywords = {security testing, vulnerability analysis, software security, vulnerability remediation}, location = {Virtual Event, Republic of Korea}, series = {CCS '21}, pdf = {https://dl.acm.org/doi/pdf/10.1145/3460120.3485357}, kind = {Posters}, selected = {true}, abbr = {ACM CCS}, bibtex_show = {true} }
SCAM
Fix that Fix Commit: A real-world remediation analysis of JavaScript projects

Bandara, Vinuri, Rathnayake, Thisura, Weerasekara, Nipuna, Elvitigala, Charitha, Thilakarathna, Kenneth, Wijesekera, Primal, and Keppitiyagama, Chamath

In 2020 IEEE 20th International Working Conference on Source Code Analysis and Manipulation (SCAM), 2020

Abstract PDF BibTeX

While there is a large body of work on understanding vulnerabilities in the wild, little has been done to understand the dynamics of the remediation phase of the development cycle. To this end, we have done a timeline analysis on 118K commits from 53 of the most used JavaScript projects from GitHub to understand the provenance and prevalence of vulnerabilities in those projects. We used a vulnerability detector (CodeQL) to filter commits that introduced vulnerabilities and the commits that fixed a prior vulnerability. We found that in 82% of the projects, a commit fixing a prior vulnerability, in turn, introduced one or more new vulnerabilities. Among those projects, on average, 18% of the commits intended to fix vulnerabilities, in turn, introduced one or more new vulnerabilities. We also found that 50% of the total vulnerabilities found in those projects originated from a commit meant to fix a prior vulnerability, and 78% of those vulnerabilities could have been avoided if they were to use proper internal testing. We provide critical insights into how proper internal testing can avoid a significant portion of vulnerabilities, increasing organizations' security posture.
@inproceedings{9252067, author = {Bandara, Vinuri and Rathnayake, Thisura and Weerasekara, Nipuna and Elvitigala, Charitha and Thilakarathna, Kenneth and Wijesekera, Primal and Keppitiyagama, Chamath}, booktitle = {2020 IEEE 20th International Working Conference on Source Code Analysis and Manipulation (SCAM)}, title = {Fix that Fix Commit: A real-world remediation analysis of JavaScript projects}, year = {2020}, volume = {}, number = {}, pages = {198-202}, doi = {10.1109/SCAM51674.2020.00027}, pdf = {https://conferences.computer.org/icsme/pdfs/SCAM2020-CdP3rS7mSlqVWzF3cXW7H/924800a187/924800a187.pdf}, kind = {Conferences}, selected = {true}, abbr = {SCAM}, bibtex_show = {true} }