Software vulnerability management in IoT systems: a systematic mapping study
摘要
The Internet of Things (IoT) has rapidly emerged as a ubiquitous and pervasive paradigm in software development, significantly impacting both social life and business environments. However, this growth has also led to a corresponding increase in the number and sophistication of threats and attacks targeting IoT devices and services. The vulnerability of IoT software to security breaches has become a significant concern for the research community. Managing software vulnerabilities in IoT is a hugely challenging process involving several socio-technical decisions. Despite the rapid increase in primary studies focusing on Software Vulnerability Management (SVM) in IoT systems, no secondary studies specifically identify and analyse the socio-technical challenges, solutions, and state-of-the-art evaluation studies in SVM in IoT systems. This paper aims to address this gap by systematically identifying, classifying, comparing, and evaluating state of the art of SVM in IoT systems from a socio-technical point of view. We conducted a systematic mapping study (SMS) based on 73 qualitatively selected studies to i) classify the types, frequency, and demography of published research; ii) identify the socio-technical challenges in this regard; iii) classify the reported solutions; and iv) understand the rigour of the evaluation, including real-world application. In summary, our results point to 32 socio-technical challenges in IoT vulnerability management, where most are practice-related. In terms of the solutions, we found a maximum number of solutions proposed for the software vulnerability identification stage, with 22 frameworks. The software vulnerability disclosure stage has the least amount of solutions reported. This SMS also reveals that there needs to be more rigorous evaluation using more mature forms of evaluations like simulation with real data and case studies. Based on the findings that highlight the important concerns in this domain, we recommend a list of future research directions.