We gratefully acknowledge support from
the Simons Foundation and member institutions.
Full-text links:


Current browse context:


Change to browse by:


References & Citations

DBLP - CS Bibliography


(what is this?)
CiteULike logo BibSonomy logo Mendeley logo del.icio.us logo Digg logo Reddit logo ScienceWISE logo

Computer Science > Software Engineering

Title: Software Security Patch Management -- A Systematic Literature Review of Challenges, Approaches, Tools and Practices

Authors: Nesara Dissanayake (1 and 2), Asangi Jayatilaka (1 and 2), Mansooreh Zahedi (1 and 2), M. Ali Babar (1 and 2) ((1) School of Computer Science, The University of Adelaide, Australia, (2) Centre for Research on Engineering Software Technology (CREST), Australia)
Abstract: Context: Software security patch management purports to support the process of patching known software security vulnerabilities. Patching security vulnerabilities in large and complex systems is a hugely challenging process that involves multiple stakeholders making several interdependent technological and socio-technical decisions.
Objective: This paper reports our work aimed at systematically reviewing the state of the art of software security patch management to identify the socio-technical challenges in this regard, reported solutions (i.e., approaches and associated tools, and practices), the rigour of the evaluation and the industrial relevance of the reported solutions, and to identify the gaps for the future research.
Method: We conducted a systematic literature review of 72 studies on software security patch management published from 2002 to March 2020, with extended coverage until September 2020 through forward snowballing.
Results: We identify 14 key socio-technical challenges in security patch management with 6 common challenges encountered throughout the process. Similarly, we provide a classification of the reported solutions mapped onto the patch management process. The analysis also reveals that only 20.8% of the reported solutions have been rigorously evaluated in industrial settings.
Conclusion: Our results reveal that two-thirds of the common challenges have not been directly addressed in the solutions and that most of them (37.5%) address the challenges in one stage of the process. Based on the results that highlight the important concerns in software security patch management and the lack of solutions, we recommend a list of future research directions. This research study also provides useful insights into different opportunities for practitioners to adopt new solutions and understand the variations of their practical utility.
Comments: 48 pages, 7 figures
Subjects: Software Engineering (cs.SE)
Cite as: arXiv:2012.00544 [cs.SE]
  (or arXiv:2012.00544v1 [cs.SE] for this version)

Submission history

From: Nesara Dissanayake [view email]
[v1] Tue, 1 Dec 2020 14:56:43 GMT (2977kb,D)
[v2] Wed, 2 Dec 2020 07:58:12 GMT (2977kb,D)
[v3] Fri, 20 Aug 2021 02:33:40 GMT (2142kb,D)

Link back to: arXiv, form interface, contact.