research-article

An Empirical Study of Automation in Software Security Patch Management

Authors:

Nesara Dissanayake,

Asangi Jayatilaka,

Mansooreh Zahedi,

Muhammad Ali BabarAuthors Info & Claims

ASE '22: Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering

Article No.: 7, Pages 1 - 13

https://doi.org/10.1145/3551349.3556969

Published: 05 January 2023 Publication History

Abstract

Several studies have shown that automated support for different activities of the security patch management process has great potential for reducing delays in installing security patches. However, it is also important to understand how automation is used in practice, its limitations in meeting real-world needs and what practitioners really need, an area that has not been empirically investigated in the existing software engineering literature. This paper reports an empirical study aimed at investigating different aspects of automation for security patch management using semi-structured interviews with 17 practitioners from three different organisations in the healthcare domain. The findings are focused on the role of automation in security patch management for providing insights into the as-is state of automation in practice, the limitations of current automation, how automation support can be enhanced to effectively meet practitioners’ needs, and the role of the human in an automated process. Based on the findings, we have derived a set of recommendations for directing future efforts aimed at developing automated support for security patch management.

References

[1]

2022. Ivanti. Retrieved February 17, 2022 from https://www.ivanti.com/

[2]

A. Al-Ayed, S.M. Furnell, D. Zhao, and P.S. Dowland. 2005. An automated framework for managing security vulnerabilities. Information management & computer security 13, 2 (2005), 156–166. https://doi.org/10.1108/09685220510589334

[3]

Saleema Amershi, Dan Weld, Mihaela Vorvoreanu, Adam Fourney, Besmira Nushi, Penny Collisson, Jina Suh, Shamsi Iqbal, Paul N. Bennett, Kori Inkpen, Jaime Teevan, Ruth Kikin-Gil, and Eric Horvitz. 2019. Guidelines for Human-AI Interaction. In CHI Conference on Human Factors in Computing Systems Proceedings (CHI 2019). ACM, New York, NY, USA, 1–13. https://doi.org/10.1145/3290605.3300233

Digital Library

[4]

Marco Angelini, Graziano Blasilli, Tiziana Catarci, Simone Lenti, and Giuseppe Santucci. 2018. Vulnus: Visual vulnerability analysis for network security. IEEE transactions on visualization and computer graphics 25, 1(2018), 183–192.

[5]

Marco Angelini, Silvia Bonomi, Simone Lenti, Giuseppe Santucci, and S Taggi. 2019. MAD: A visual analytics solution for Multi-step cyber Attacks Detection. Journal of Computer Languages 52 (2019), 10–24.

[6]

Apache. 2022. Apache Log4j. Retrieved April 21, 2022 from https://logging.apache.org/log4j/2.x/security.html

[7]

Frederico Araujo and Teryl Taylor. 2020. Improving cybersecurity hygiene through JIT patching. In Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE ’20). ACM, New York, NY, USA, 1421–1432. https://doi.org/10.1145/3368089.3417056

Digital Library

[8]

Mehran Bozorgi, Lawrence K Saul, Stefan Savage, and Geoffrey M Voelker. 2010. Beyond heuristics: learning to classify vulnerabilities and predict exploits. In Proceedings of the 16th ACM SIGKDD international conference on Knowledge discovery and data mining. 105–114.

Digital Library

[9]

Ramesh Chandra, Taesoo Kim, Meelap Shah, Neha Narula, and Nickolai Zeldovich. 2011. Intrusion recovery for database-backed web applications. In Proceedings of the 26th Annual Computer Security Applications Conference. 101–114.

Digital Library

[10]

Chuan-We Chang, Dwen-Ren Tsai, and Jui-Mi Tsai. 2005. A cross-site patch management model and architecture design for large scale heterogeneous environment. In Proceedings 39th Annual 2005 International Carnahan Conference on Security Technology. IEEE, 41–46.

[11]

Olivier Crameri, Nikola Knezevic, Dejan Kostic, Ricardo Bianchini, and Willy Zwaenepoel. 2007. Staged deployment in mirage, an integrated software upgrade testing and distribution system. ACM SIGOPS Operating Systems Review 41, 6 (2007), 221–236.

Digital Library

[12]

James A. Crowder, John Carbone, and Shelli Friess. 2020. Human–AI Collaboration. In Artificial Psychology. Springer, Cham. https://doi.org/10.1007/978-3-030-17081-3_4

[13]

Dominik Dellermann, Adrian Calma, Nikolaus Lipusch, Thorsten Weber, Sascha Weigel, and Philipp Ebel. 2019. The Future of Human-AI Collaboration: A Taxonomy of Design Knowledge for Hybrid Intelligence Systems. In Proceedings of the 52nd Hawaii International Conference on System Science.

[14]

Constanze Dietrich, Katharina Krombholz, Kevin Borgolte, and Tobias Fiebig. 2018. Investigating System Operators’ Perspective on Security Misconfigurations. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, 1272–1289. https://doi.org/10.1145/3243734.3243794

Digital Library

[15]

Nesara Dissanayake, Asangi Jayatilaka, Mansooreh Zahedi, and Muhammad Ali Babar. 2021. Software security patch management-A systematic literature review of challenges, approaches, tools and practices. Information and Software Technology 144 (2021), 106771. https://doi.org/10.1016/j.infsof.2021.106771

Digital Library

[16]

Nesara Dissanayake, Mansooreh Zahedi, Asangi Jayatilaka, and Muhammad Ali Babar. 2021. A Grounded Theory of the Role of Coordination in Software Security Patch Management. In Proceedings of the 29th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE ’21). ACM, New York, NY, USA, 793–805. https://doi.org/10.1145/3468264.3468595

Digital Library

[17]

Nesara Dissanayake, Mansooreh Zahedi, Asangi Jayatilaka, and Muhammad Ali Babar. 2022. Why, How and Where of Delays in Software Security Patch Management: An Empirical Investigation in the Healthcare Sector. Proceedings of the ACM on Human-Computer Interaction (CSCW) 6, 362(2022). https://doi.org/10.1145/3555087

Digital Library

[18]

John Dunagan, Roussi Roussev, Brad Daniels, Aaron Johnson, Chad Verbowski, and Yi-Min Wang. 2004. Towards a self-managing software patching process using black-box persistent-state manifests. In International Conference on Autonomic Computing, 2004. Proceedings. IEEE, 106–113.

[19]

Chief Healthcare Executive. 2022. Cyberattacks in healthcare surged last year, and 2022 could be even worse. Retrieved April 24, 2022 from https://www.chiefhealthcareexecutive.com/view/cyberattacks-in-healthcare-surged-last-year-and-2022-could-be-even-worse

[20]

Center for Internet Security (CIS). 2022. Cyber Attacks: In the Healthcare Sector. Retrieved April 24, 2022 from https://www.cisecurity.org/insights/blog/cyber-attacks-in-the-healthcare-sector

[21]

Barney G. Glaser and Anselmo L. Strauss. 1967. The Discovery of Grounded Theory: Strategies for Qualitative Research. Aldine Transaction, Chicago.

[22]

Michael Hicks and Scott Nettles. 2005. Dynamic Software Updating. ACM Transactions on Programming Languages and Systems (TOPLAS) 27, 6(2005), 1049–1096. https://doi.org/10.1145/381694.378798

Digital Library

[23]

Hai Huang, Salman Baset, Chunqiang Tang, Ashu Gupta, KN Madhu Sudhan, Fazal Feroze, Rajesh Garg, and Sumithra Ravichandran. 2012. Patch Management Automation for Enterprise Cloud. In IEEE Network Operations and Management Symposium. IEEE, 691–705. https://doi.org/10.1109/NOMS.2012.6211988

[24]

QSR International. 2022. Nvivo qualitative data analysis software. https://www.qsrinternational.com/nvivo-qualitative-data-analysis-software/home

[25]

Chadni Islam, Victor Prokhorenko, and Muhammad Ali Babar. 2022. Runtime Software Patching: Taxonomy, Survey and Future Directions. arXiv preprint arXiv:2203.12132(2022). https://arxiv.org/pdf/2203.12132.pdf

[26]

Adam Jenkins, Pieris Kalligeros, Kami Vaniea, and Maria K Wolters. 2020. “Anyone Else Seeing this Error?”: Community, System Administrators, and Patch Information. In 2020 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 105–119.

[27]

Ece Kamar. 2016. Directions in Hybrid Intelligence: Complementing AI Systems with Human Intelligence. In IJCAI. 4070–4073.

[28]

Patrick Kamongi, Srujan Kotikela, Krishna Kavi, Mahadevan Gomathisankaran, and Anoop Singhal. 2013. Vulcan: Vulnerability assessment framework for cloud computing. In 2013 IEEE 7th International Conference on Software Security and Reliability. IEEE, 218–226.

Digital Library

[29]

Sanidhya Kashyap, Changwoo Min, Byoungyoung Lee, Taesoo Kim, and Pavel Emelyanov. 2016. Instant {OS} Updates via Userspace {Checkpoint-and-Restart}. In 2016 USENIX Annual Technical Conference (USENIX ATC 16). 605–619.

[30]

Kuinam J Kim and Minsu Kim. 2017. A study of integrity on the security patches system using PM-FTS. Wireless Personal Communications 94, 2 (2017), 165–173.

Digital Library

[31]

Yonggun Kim and Yoojae Won. 2020. A new cost-saving and efficient method for patch management using blockchain. The Journal of Supercomputing 76, 7 (2020), 5301–5319.

Digital Library

[32]

Vivian Lai, Samuel Carton, and Chenhao Tan. 2020. Harnessing explanations to bridge ai and humans. arXiv preprint arXiv:2003.07370(2020). https://arxiv.org/pdf/2003.07370

[33]

Frank Li, Lisa Rogers, Arunesh Mathur, Nathan Malkin, and Marshini Chetty. 2019. Keepers of the Machines: Examining How System Administrators Manage Software Updates. In Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019). USENIX Association, 273–288.

[34]

RSA Security LLC. 2022. Archer GRC Solution. Retrieved February 21, 2022 from https://www.archerirm.com/content/grc

[35]

Gilad Maayan. 2022. Five years later, Heartbleed vulnerability still unpatched. Retrieved April 24, 2022 from https://blog.malwarebytes.com/exploits-and-vulnerabilities/2019/09/everything-you-need-to-know-about-the-heartbleed-vulnerability/

[36]

Martin N. Marshall. 1996. Sampling for qualitative research. Family practice 13, 6 (1996), 522–526. https://doi.org/10.1093/fampra/13.6.522

[37]

Marval. 2022. Marval ITSM. Retrieved February 20, 2022 from https://www.marval.co.uk/

[38]

Matthew Maurer and David Brumley. 2012. TACHYON: Tandem execution for efficient live patch testing. In 21st USENIX Security Symposium (USENIX Security 12). 617–630.

[39]

Joseph A. Maxwell. 1992. Understanding and Validity in Qualitative Research. Harvard Educational Review 62, 3 (1992), 279–301. https://doi.org/10.17763/haer.62.3.8323320856251826

[40]

Peter Mell, Tiffany Bergeron, David Henning, 2005. Creating a patch and vulnerability management program. NIST Special Publication 800 (2005), 40.

[41]

Microsoft. 2022. Microsoft System Center Configuration Manager. Retrieved February 16, 2022 from https://docs.microsoft.com/en-us/mem/configmgr/

[42]

Microsoft. 2022. Windows Server Update Services. Retrieved February 17, 2022 from https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus

[43]

Soranut Midtrapanon and Gary B Wills. 2019. Linux Patch Management: With Security Assessment Features. In International Conference on Internet of Things, Big Data and Security. 270–277.

[44]

Antonio Nappa, Richard Johnson, Leyla Bilge, Juan Caballero, and Tudor Dumitras. 2015. The Attack of the Clones: A Study of the Impact of Shared Code on Vulnerability Patching. In IEEE Symposium on Security and Privacy (S&P). IEEE, 692–708. https://doi.org/10.1109/SP.2015.48

Digital Library

[45]

Felicia M. Nicastro. 2003. Security Patch Management. Inf. Secur. J. A Glob. Perspect. 12, 5 (2003), 5–18. https://doi.org/10.1201/1086/43808.12.5.20031101/78486.2

[46]

NIST. 2022. NVD Common Vulnerability Scoring System. Retrieved March 10, 2022 from https://nvd.nist.gov/vuln-metrics/cvss

[47]

National Audit Office. 2017. Investigation: WannaCry cyber attack and the NHS. Report by the Comptroller and Auditor General. Department of Health.

[48]

Michal Procházka, Daniel Kouril, Romain Wartel, Christos Kanellopoulos, and Christos Triantafyllidis. 2011. A Race for Security: Identifying Vulnerabilities on 50 000 Hosts Faster than Attackers. In Proceedings of Science (PoS) International Symposium on Grid and Clouds.

[49]

Md Sazzadur Rahman, Guanhua Yan, Harsha V Madhyastha, Michalis Faloutsos, Stephan Eidenbenz, and Mike Fisk. 2013. iDispatcher: A unified platform for secure planet-scale information dissemination. Peer-to-Peer Networking and Applications 6, 1 (2013), 46–60.

[50]

Per Runeson and Martin Höst. 2009. Guidelines for conducting and reporting case study research in software engineering. Empirical Software Engineering 14, 2 (2009), 131–164.

Digital Library

[51]

Thomas A. Schwandt. 1997. Qualitative Inquiry. Sage, London.

[52]

Accenture Security. 2021. State of Cybersecurity Resilience 2021. Retrieved March 10, 2022 from https://www.accenture.com/_acnmedia/PDF-165/Accenture-State-Of-Cybersecurity-2021.pdf

[53]

Klaas-Jan Stol, Paul Ralph, and Brian Fitzgerald. 2016. Grounded Theory in Software Engineering Research: A Critical Review and Guidelines. In Proceedings of the 38th International Conference on Software Engineering (ICSE). ACM, 120–131. https://doi.org/10.1145/2884781.2884833

Digital Library

[54]

Anselm L. Strauss and Juliet M. Corbin. 1998. Basics of Qualitative Research : Techniques and Procedures for Developing Grounded Theory (2nd ed.). Sage.

[55]

Anselm L. Strauss and Juliet M. Corbin. 2007. Basics of Qualitative Research: Techniques and Procedures for Developing Grounded Theory (3rd ed.). Sage.

[56]

Tenable. 2022. Nessus. Retrieved April 21, 2022 from https://www.tenable.com/products/nessus

[57]

Tenable. 2022. tenable.sc. Retrieved February 17, 2022 from https://www.tenable.com/products/tenable-sc

[58]

Christian Tiefenau, Maximilian Häring, Katharina Krombholz, and Emanuel von Zezschwitz. 2020. Security, Availability, and Multiple Information Sources: Exploring Update Behavior of System Administrators. In Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020). USENIX Association, 239–258.

[59]

Slim Trabelsi, Henrik Plate, Amine Abida, M Marouane Ben Aoun, Anis Zouaoui, Chedy Missaoui, Sofien Gharbi, and Alaeddine Ayari. 2015. Mining social networks for software vulnerabilities monitoring. In 2015 7th International Conference on New Technologies, Mobility and Security (NTMS). IEEE, 1–7.

[60]

Uraz Cengiz Türker, Robert Hierons, Mohammad Reza Mousavi, and Ivan Tyukin. 2021. Efficient state synchronisation in model-based testing through reinforcement learning. In 2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE, 368–380.

Digital Library

[61]

VMware. 2022. VMware Workspace ONE. Retrieved February 17, 2022 from https://www.vmware.com/products/workspace-one.html

[62]

Shangwen Wang, Ming Wen, Bo Lin, Hongjun Wu, Yihao Qin, Deqing Zou, Xiaoguang Mao, and Hai Jin. 2020. Automated Patch Correctness Assessment: How Far Are We?. In Proceedings of the 35th IEEE/ACM International Conference on Automated Software Engineering (ASE ’20). ACM, New York, NY, USA, 968–980.

Digital Library

[63]

Wu Zhou, Peng Ning, Xiaolan Zhang, Glenn Ammons, Ruowen Wang, and Vasanth Bala. 2010. Always up-to-date: scalable offline patching of vm images in a compute cloud. In Proceedings of the 26th Annual Computer Security Applications Conference. 377–386.

Digital Library

Cited By

Pan SBao LZhou JHu XXia XLi Sd'Amorim M(2024)Unveil the Mystery of Critical Software VulnerabilitiesCompanion Proceedings of the 32nd ACM International Conference on the Foundations of Software Engineering10.1145/3663529.3663835(138-149)Online publication date: 10-Jul-2024
https://dl.acm.org/doi/10.1145/3663529.3663835

Index Terms

An Empirical Study of Automation in Software Security Patch Management
1. Security and privacy
  1. Software and application security
    1. Software security engineering
  2. Systems security
    1. Vulnerability management
2. Software and its engineering
  1. Software creation and management
    1. Software post-development issues

Recommendations

Why, How and Where of Delays in Software Security Patch Management: An Empirical Investigation in the Healthcare Sector
CSCW

Numerous security attacks that resulted in devastating consequences can be traced back to a delay in applying a security patch. Despite the criticality of timely patch application, not much is known about why and how delays occur when applying security ...
A new cost-saving and efficient method for patch management using blockchain
Abstract
In the corporate environment, we use a variety of software. To increase security, patch management systems are used to manage software patches. This study analyzes existing patch management systems to identify security threats. Furthermore, we ...
Software security patch management - A systematic literature review of challenges, approaches, tools and practices
Abstract Context:
Software security patch management purports to support the process of patching known software security vulnerabilities. Patching security vulnerabilities in large and complex systems is a hugely challenging process ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ASE '22: Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering

October 2022

2006 pages

ISBN:9781450394758

DOI:10.1145/3551349

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 January 2023

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ASE '22

ASE '22: 37th IEEE/ACM International Conference on Automated Software Engineering

October 10 - 14, 2022

MI, Rochester, USA

Acceptance Rates

Overall Acceptance Rate 82 of 337 submissions, 24%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
393
Total Downloads

Downloads (Last 12 months)179
Downloads (Last 6 weeks)25

Reflects downloads up to 10 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Pan SBao LZhou JHu XXia XLi Sd'Amorim M(2024)Unveil the Mystery of Critical Software VulnerabilitiesCompanion Proceedings of the 32nd ACM International Conference on the Foundations of Software Engineering10.1145/3663529.3663835(138-149)Online publication date: 10-Jul-2024
https://dl.acm.org/doi/10.1145/3663529.3663835

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents