How The Update Framework is Working to Improve Software Delivery Security | eWeek

How The Update Framework Improves Software Distribution Security

Justin Cappos TUF
Jul 13, 2018
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

In recent years that there been multiple cyber-attacks that compromised a software developer’s network to enable the delivery of malware inside of software updates. That’s a situation that Justin Cappos, founder of The Update Framework (TUF) open-source project, has been working hard to help solve.

Cappos, an assistant professor at New York University (NYU), started TUF nearly a decade ago. TUF is now implemented by multiple software projects, including the Docker Notary project for secure container application updates and has implementations that are being purpose-built to help secure automotive software as well. 

In a video interview with eWEEK, Cappos explains why TUF is important in the modern threat landscape and how it is continuing to evolve.


“TUF helps to make sure that the software your organization has decided it should sign, gets securely to (end-user) parties,” Cappos said.

TUF defines an system in which software updates are cryptographically signed and secured in a validated way to help minimize the risk of software tampering. There have been multiple incidents in recent years, including one involving cCleaner, in which attackers were able to infiltrate and compromise development systems to send malicious updates to users.


TUF a Cloud Native Computing Foundation project

TUF became a Cloud Native Computing Foundation (CNCF) project in October 2017, alongside the Notary project. The CNCF is a Linux Foundation Collaborative Project and is home to multiple technology projects including the Kubernetes container orchestration system. Cappos said that being part of the CNCF has helped to advance the TUF project, in terms of having proper governance and validation. The CNCF also helps to promote TUF and the work that the project is doing.

Cappos strongly believes that having a secure updating mechanism for software should be a requirement for security compliance. He emphasized that having secure updates is about more than just digitally signing updates, but having a mechanism, like TUF, that validates the signatures and the integrity of the software that is being delivered.

Of particular concern for software updates right now, according to Cappos, are Internet of Things (IoT) technologies, notably medical devices and the power grid, which could have a critical impact if malicious updates are delivered to these systems.

“If these issues are not fixed in these domains (IoT), people will die,” Cappos said.

Watch the full video with Justin Cappos above.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.