1 research outputs found
Software Security Patch Management -- A Systematic Literature Review of Challenges, Approaches, Tools and Practices
Context: Software security patch management purports to support the process
of patching known software security vulnerabilities. Patching security
vulnerabilities in large and complex systems is a hugely challenging process
that involves multiple stakeholders making several interdependent technological
and socio-technical decisions.
Objective: This paper reports our work aimed at systematically reviewing the
state of the art of software security patch management to identify the
socio-technical challenges in this regard, reported solutions (i.e., approaches
and associated tools, and practices), the rigour of the evaluation and the
industrial relevance of the reported solutions, and to identify the gaps for
the future research.
Method: We conducted a systematic literature review of 72 studies on software
security patch management published from 2002 to March 2020, with extended
coverage until September 2020 through forward snowballing.
Results: We identify 14 key socio-technical challenges in security patch
management with 6 common challenges encountered throughout the process.
Similarly, we provide a classification of the reported solutions mapped onto
the patch management process. The analysis also reveals that only 20.8% of the
reported solutions have been rigorously evaluated in industrial settings.
Conclusion: Our results reveal that two-thirds of the common challenges have
not been directly addressed in the solutions and that most of them (37.5%)
address the challenges in one stage of the process. Based on the results that
highlight the important concerns in software security patch management and the
lack of solutions, we recommend a list of future research directions. This
research study also provides useful insights into different opportunities for
practitioners to adopt new solutions and understand the variations of their
practical utility.Comment: 48 pages, 7 figure