Software Security Patch Management -- A Systematic Literature Review of Challenges, Approaches, Tools and Practices

Context: Software security patch management purports to support the process of patching known software security vulnerabilities. Patching security vulnerabilities in large and complex systems is a hugely challenging process that involves multiple stakeholders making several interdependent technological and socio-technical decisions. Objective: This paper reports our work aimed at systematically reviewing the state of the art of software security patch management to identify the socio-technical challenges in this regard, reported solutions (i.e., approaches and associated tools, and practices), the rigour of the evaluation and the industrial relevance of the reported solutions, and to identify the gaps for the future research. Method: We conducted a systematic literature review of 72 studies on software security patch management published from 2002 to March 2020, with extended coverage until September 2020 through forward snowballing. Results: We identify 14 key socio-technical challenges in security patch management with 6 common challenges encountered throughout the process. Similarly, we provide a classification of the reported solutions mapped onto the patch management process. The analysis also reveals that only 20.8% of the reported solutions have been rigorously evaluated in industrial settings. Conclusion: Our results reveal that two-thirds of the common challenges have not been directly addressed in the solutions and that most of them (37.5%) address the challenges in one stage of the process. Based on the results that highlight the important concerns in software security patch management and the lack of solutions, we recommend a list of future research directions. This research study also provides useful insights into different opportunities for practitioners to adopt new solutions and understand the variations of their practical utility.