A grounded theory of the role of coordination in software security patch management

Nesara, Dissanayake,; Zahedi, Mansooreh; Jayatilaka, Asangi; Babar, Abdul

doi:10.1145/3468264.3468595

Cited by 8 publications

(16 citation statements)

References 36 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Concerning the coordination challenges, Dissanayake et. al [12] have proposed a grounded theory of the role of coordination in security patch management explaining the causes that create the need for coordinating in the security patch management process, constraints for effective coordination, breakdowns resulting from ineffective handling of the coordination causes and constraints, and mechanisms for managing the causes while mediating the constraints. Although several approaches have been proposed to improve the patch management process to reduce delays, the reasons why such delays occur and how to mitigate them remain unexplored.…”

Section: Background and Motivationmentioning

confidence: 99%

“…Concerning the complexity of patches, the patch interdependencies consisting of software, hardware, and firmware presented a major reason for delays in patch testing and deployment tasks. We identify that such complexities emerge from the existing dependencies in the source code, for example, function-level or library-level dependencies [12].…”

Section: 11mentioning

confidence: 99%

“…Patch interdependencies (30) Faulty patches (12) Extensive monitoring for faulty patch fixes (8) Patch heterogeneity (5) Increasing rate of patch release (2)…”

Section: R2 Limitations Of Current Toolsmentioning

confidence: 99%

“…in the collaborative process of dealing with third-party vulnerabilities and vendor patches [12,27,51]. As a result, organisations struggle to apply timely patches often leaving myriad vulnerabilities open to exploits.…”

mentioning

confidence: 99%

“…Further, another set of studies have attempted to optimise the patch management process by synchronising the organisational patch cycle with the vendor [4,5,37]. Focused on the coordination aspect, our previous study [12] presented a grounded theory of the role of coordination in security patch management based on observations of 51 patch meetings between two case organisations over nine months. The theory explains the causes that define the need for coordination in the process (i.e., the socio-technical dependencies), constraints that can hinder effective coordination, the breakdowns resulting from ineffective coordination of the causes and constraints, and the mechanisms to manage the causes, constraints and breakdowns.…”

mentioning

confidence: 99%

See 4 more Smart Citations

Why, How and Where of Delays in Software Security Patch Management: An Empirical Investigation in the Healthcare Sector

Nesara¹,

Zahedi²,

Jayatilaka³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

Numerous security attacks that resulted in devastating consequences can be traced back to a delay in applying a security patch. Despite the criticality of timely patch application, not much is known about why and how delays occur when applying security patches in practice, and how the delays can be mitigated. Based on longitudinal data collected from 132 delayed patching tasks over a period of four years and observations of patch meetings involving eight teams from two organisations in the healthcare domain, and using quantitative and qualitative data analysis approaches, we identify a set of reasons relating to technology, people and organisation as key explanations that cause delays in patching. Our findings also reveal that the most prominent cause of delays is attributable to coordination delays in the patch management process and a majority of delays occur during the patch deployment phase. Towards mitigating the delays, we describe a set of strategies employed by the studied practitioners. This research serves as the first step towards understanding the practical reasons for delays and possible mitigation strategies in vulnerability patch management. Our findings provide useful insights for practitioners to understand what and where improvement is needed in the patch management process and guide them towards taking timely actions against potential attacks. Also, our findings help researchers to invest effort into designing and developing computer-supported tools to better support a timely security patch management process.CCS Concepts: • Security and privacy → Software security engineering; Vulnerability management; • Software and its engineering → Maintaining software.

show abstract

Section: Background and Motivationmentioning

confidence: 99%

Section: 11mentioning

confidence: 99%

“…Patch interdependencies (30) Faulty patches (12) Extensive monitoring for faulty patch fixes (8) Patch heterogeneity (5) Increasing rate of patch release (2)…”

Section: R2 Limitations Of Current Toolsmentioning

confidence: 99%

mentioning

confidence: 99%

mentioning

confidence: 99%

See 3 more Smart Citations

Why, How and Where of Delays in Software Security Patch Management: An Empirical Investigation in the Healthcare Sector

Nesara¹,

Zahedi²,

Jayatilaka³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

An Empirical Study of Automation in Software Security Patch Management

Nesara

Jayatilaka

Zahedi

et al. 2022

Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering

View full text Add to dashboard Cite

Why, How and Where of Delays in Software Security Patch Management: An Empirical Investigation in the Healthcare Sector

Nesara

Zahedi

Jayatilaka

et al. 2022

Proc. ACM Hum.-Comput. Interact.

View full text Add to dashboard Cite

Numerous security attacks that resulted in devastating consequences can be traced back to a delay in applying a security patch. Despite the criticality of timely patch application, not much is known about why and how delays occur when applying security patches in practice, and how the delays can be mitigated. Based on longitudinal data collected from 132 delayed patching tasks over a period of four years and observations of patch meetings involving eight teams from two organisations in the healthcare domain, and using quantitative and qualitative data analysis approaches, we identify a set of reasons relating to technology, people and organisation as key explanations that cause delays in patching. Our findings also reveal that the most prominent cause of delays is attributable to coordination delays in the patch management process and a majority of delays occur during the patch deployment phase. Towards mitigating the delays, we describe a set of strategies employed by the studied practitioners. This research serves as the first step toward understanding the practical reasons for delays and possible mitigation strategies in vulnerability patch management. Our findings provide useful insights for practitioners to understand what and where improvement is needed in the patch management process and guide them towards taking timely actions against potential attacks. Also, our findings help researchers to invest effort into designing and developing computer-supported tools to better support a timely security patch management process.

show abstract

A grounded theory of the role of coordination in software security patch management

Cited by 8 publications

References 36 publications

Why, How and Where of Delays in Software Security Patch Management: An Empirical Investigation in the Healthcare Sector

Why, How and Where of Delays in Software Security Patch Management: An Empirical Investigation in the Healthcare Sector

An Empirical Study of Automation in Software Security Patch Management

Why, How and Where of Delays in Software Security Patch Management: An Empirical Investigation in the Healthcare Sector

Contact Info

Product

Resources

About