How The Update Framework is Working to Improve Software Delivery Security | eWeek

How The Update Framework Improves Software Distribution Security

Justin Cappos TUF
Jul 13, 2018
2 minute read
eWeek Inhalte und Produktempfehlungen sind redaktionell unabhängig. Wir können Geld verdienen, wenn Sie auf Links zu unseren Partnern klicken. Mehr erfahren

In recent years that there been multiple cyber-attacks that compromised a software developer’s network to enable the delivery of malware inside of software updates. That’s a situation that Justin Cappos, founder of The Update Framework (TUF) open-source project, has been working hard to help solve.

Cappos, an assistant professor at New York University (NYU), started TUF nearly a decade ago. TUF is now implemented by multiple software projects, including the Docker Notary project for secure container application updates and has implementations that are being purpose-built to help secure automotive software as well. 

In a video interview with eWEEK, Cappos explains why TUF is important in the modern threat landscape and how it is continuing to evolve.


“TUF helps to make sure that the software your organization has decided it should sign, gets securely to (end-user) parties,” Cappos said.

TUF defines an system in which software updates are cryptographically signed and secured in a validated way to help minimize the risk of software tampering. There have been multiple incidents in recent years, including one involving cCleaner, in which attackers were able to infiltrate and compromise development systems to send malicious updates to users.


TUF a Cloud Native Computing Foundation project

TUF became a Cloud Native Computing Foundation (CNCF) project in October 2017, alongside the Notary project. The CNCF is a Linux Foundation Collaborative Project and is home to multiple technology projects including the Kubernetes container orchestration system. Cappos said that being part of the CNCF has helped to advance the TUF project, in terms of having proper governance and validation. The CNCF also helps to promote TUF and the work that the project is doing.

Cappos strongly believes that having a secure updating mechanism for software should be a requirement for security compliance. He emphasized that having secure updates is about more than just digitally signing updates, but having a mechanism, like TUF, that validates the signatures and the integrity of the software that is being delivered.

Of particular concern for software updates right now, according to Cappos, are Internet of Things (IoT) technologies, notably medical devices and the power grid, which could have a critical impact if malicious updates are delivered to these systems.

“If these issues are not fixed in these domains (IoT), people will die,” Cappos said.

Watch the full video with Justin Cappos above.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Eigentum von TechnologyAdvice. © 2026 TechnologyAdvice. Alle Rechte vorbehalten

Werbetreibenden-Offenlegung: Einige der auf dieser Website erscheinenden Produkte stammen von Unternehmen, von denen TechnologyAdvice eine Vergütung erhält. Diese Vergütung kann beeinflussen, wie und wo Produkte auf dieser Website erscheinen, einschließlich beispielsweise der Reihenfolge, in der sie erscheinen. TechnologyAdvice schließt nicht alle Unternehmen oder alle auf dem Marktplatz verfügbaren Produkttypen ein.