Software Security Patch Management – A Systematic Literature Review of Challenges, Approaches, Tools and Practices

by   Nesara Dissanayake, et al.

Context: Software security patch management purports to support the process of patching known software security vulnerabilities. Patching security vulnerabilities in large and complex systems is a hugely challenging process that involves multiple stakeholders making several interdependent technological and socio-technical decisions. Objective: This paper reports our work aimed at systematically reviewing the state of the art of software security patch management to identify the socio-technical challenges in this regard, reported solutions (i.e., approaches and associated tools, and practices), the rigour of the evaluation and the industrial relevance of the reported solutions, and to identify the gaps for the future research. Method: We conducted a systematic literature review of 72 studies on software security patch management published from 2002 to March 2020, with extended coverage until September 2020 through forward snowballing. Results: We identify 14 key socio-technical challenges in security patch management with 6 common challenges encountered throughout the process. Similarly, we provide a classification of the reported solutions mapped onto the patch management process. The analysis also reveals that only 20.8 reported solutions have been rigorously evaluated in industrial settings. Conclusion: Our results reveal that two-thirds of the common challenges have not been directly addressed in the solutions and that most of them (37.5 address the challenges in one stage of the process. Based on the results that highlight the important concerns in software security patch management and the lack of solutions, we recommend a list of future research directions. This research study also provides useful insights into different opportunities for practitioners to adopt new solutions and understand the variations of their practical utility.



There are no comments yet.


page 10


A Grounded Theory of the Role of Coordination in Software Security Patch Management

Several disastrous security attacks can be attributed to delays in patch...

System Security Assurance: A Systematic Literature Review

Security assurance provides the confidence that security features, pract...

The Need for Holistic Technical Debt Management across the Value Stream: Lessons Learnt and Open Challenges

The long lifetime and the evolving nature of industrial products make th...

Runtime Software Patching: Taxonomy, Survey and Future Directions

Runtime software patching aims to minimize or eliminate service downtime...

Security of Microservice Applications: A Practitioners' Perspective on Challenges and Best Practices

Cloud-based application deployment is becoming increasingly popular amon...

Why, How and Where of Delays in Software Security Patch Management: An Empirical Investigation in the Healthcare Sector

Numerous security attacks that resulted in devastating consequences can ...

A Multi-Vocal Review of Security Orchestration

Organizations use diverse types of security solutions to prevent cyberat...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction