Dissanayake, Nesara scite author profile

Context: Software security patch management purports to support the process of patching known software security vulnerabilities. Patching security vulnerabilities in large and complex systems is a hugely challenging process that involves multiple stakeholders making several interdependent technological and socio-technical decisions. Given the increasing recognition of the importance of software security patch management, it is important and timely to systematically review and synthesise the relevant literature of this topic.Objective: This paper reports our work aimed at systematically reviewing the state of the art of software security patch management to identify the socio-technical challenges in this regard, reported solutions (i.e., approaches and associated tools, and practices), the rigour of the evaluation and the industrial relevance of the reported solutions, and to identify the gaps for the future research. Method:We conducted a systematic literature review of 72 studies on software security patch management published from 2002 to March 2020, with extended coverage until September 2020 through forward snowballing.Results: We identify 14 key socio-technical challenges in security patch management with 6 common challenges encountered throughout the process. Similarly, we provide a classification of the reported solutions mapped onto the patch management process. The analysis also reveals that only 20.8% of the reported solutions have been rigorously evaluated in industrial settings. Conclusion:Our results reveal that a two-thirds of the common challenges have not been directly addressed in the solutions and that most of them (37.5%) address the challenges in one stage of the process, namely vulnerability scanning, assessment and prioritisation. Based on the results that highlight the important concerns in software security patch management and the lack of solutions, we recommend a list of future research directions. This research study also provides useful insights about different opportunities for practitioners to adopt new solutions and understand the variations of their practical utility.

show abstract

A grounded theory of the role of coordination in software security patch management

Nesara

Zahedi

Jayatilaka

et al. 2021

View full text Add to dashboard Cite

Several disastrous security attacks can be attributed to delays in patching software vulnerabilities. While researchers and practitioners have paid significant attention to automate vulnerabilities identification and patch development activities of software security patch management, there has been relatively little effort dedicated to gain an in-depth understanding of the socio-technical aspects, e.g., coordination of interdependent activities of the patching process and patching decisions, that may cause delays in applying security patches. We report on a Grounded Theory study of the role of coordination in security patch management. The reported theory consists of four inter-related dimensions, i.e., causes, breakdowns, constraints, and mechanisms. The theory explains the causes that define the need for coordination among interdependent software/hardware components and multiple stakeholders' decisions, the constraints that can negatively impact coordination, the breakdowns in coordination, and the potential corrective measures. This study provides potentially useful insights for researchers and practitioners who can carefully consider the needs of and devise suitable solutions for supporting the coordination of interdependencies involved in security patch management. CCS CONCEPTS• Software and its engineering → System administration; • Security and privacy → Software security engineering; Vulnerability management; Social aspects of security and privacy.

show abstract

Perceived Effectiveness of Current Tax Compliance after the COVID-19 Pandemic

Nesara

Kirchler

2021

SSRN Journal

View full text Add to dashboard Cite

Why, How and Where of Delays in Software Security Patch Management: An Empirical Investigation in the Healthcare Sector

Nesara

Zahedi

Jayatilaka

et al. 2022

Proc. ACM Hum.-Comput. Interact.

View full text Add to dashboard Cite

Numerous security attacks that resulted in devastating consequences can be traced back to a delay in applying a security patch. Despite the criticality of timely patch application, not much is known about why and how delays occur when applying security patches in practice, and how the delays can be mitigated. Based on longitudinal data collected from 132 delayed patching tasks over a period of four years and observations of patch meetings involving eight teams from two organisations in the healthcare domain, and using quantitative and qualitative data analysis approaches, we identify a set of reasons relating to technology, people and organisation as key explanations that cause delays in patching. Our findings also reveal that the most prominent cause of delays is attributable to coordination delays in the patch management process and a majority of delays occur during the patch deployment phase. Towards mitigating the delays, we describe a set of strategies employed by the studied practitioners. This research serves as the first step toward understanding the practical reasons for delays and possible mitigation strategies in vulnerability patch management. Our findings provide useful insights for practitioners to understand what and where improvement is needed in the patch management process and guide them towards taking timely actions against potential attacks. Also, our findings help researchers to invest effort into designing and developing computer-supported tools to better support a timely security patch management process.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.