An Empirical Study of Automation in Software Security Patch Management

TL;DR

This empirical study investigates how automation is currently used in security patch management in practice, highlighting its limitations and suggesting improvements based on practitioner insights.

Contribution

It provides an empirical analysis of automation in security patch management through practitioner interviews, revealing practical limitations and guiding future automation development.

Findings

Automation reduces patch management delays

Current automation has notable limitations

Practitioners need more effective automation support

Abstract

Several studies have shown that automated support for different activities of the security patch management process has great potential for reducing delays in installing security patches. However, it is also important to understand how automation is used in practice, its limitations in meeting real-world needs and what practitioners really need, an area that has not been empirically investigated in the existing software engineering literature. This paper reports an empirical study aimed at investigating different aspects of automation for security patch management using semi-structured interviews with 17 practitioners from three different organisations in the healthcare domain. The findings are focused on the role of automation in security patch management for providing insights into the as-is state of automation in practice, the limitations of current automation, how automation support can be enhanced to effectively meet practitioners' needs, and the role of the human in an automated process. Based on the findings, we have derived a set of recommendations for directing future efforts aimed at developing automated support for security patch management.