An open-source specification that secures software updates has just become the ninth Cloud Native Computing Foundation project to graduate to top-level status.

The CNCF is an organization that’s responsible for overseeing the development of several popular open-source, cloud-native software projects, including Kubernetes, which is used to manage and orchestrate software containers that host modern applications. The Update Framework is the first security-focused project under its umbrella to graduate.

TUF was created about a decade ago as a way to build system resilience against key compromises and other attacks that can spread malware or compromise a repository. It aims to provide a framework for securing new and existing software system updates, including a set of libraries, file formats and utilities, and is flexible enough to meet with the vast majority of existing software update systems.

TUF was first accepted as an incubator project by the CNCF in 2017 and has since become a de facto standard for securing software update systems. It’s commonly used by big technology companies, including Amazon Web Services Inc., Microsoft Corp., Docker Inc., IBM Corp., Red Hat Inc. and VMware Inc.

“We designed TUF so that an organization does not need to be perfect in their operational security,” said Justin Cappos, an associate professor of computer science and engineering at NYU Tandon School of Engineering, who initially created the project. “If a company accidentally makes a signing key public, has a hacker break into their software repository, or if a disgruntled employee goes rogue, the damage they can cause is limited. Defense in depth is key to security, and the security of the software update infrastructure is among the most critical concerns in practice.”

To graduate under the CNCF, open-source projects must meet several criteria, including “thriving adoption, an open governance process, and a strong commitment to community, sustainability and inclusivity,” the CNCF said.

“Enterprises like to see broad adoption of open source and the CNFC model of waiting for broad adoption of projects as a gatekeeper to graduation is a smart strategy to achieve exactly that – wide adoption,” said Holger Mueller, principal analyst and vice president at Constellation Research Inc. “TUF is a key contribution to make software updates more secure, resilient and robust, a key capability given the pressure on enterprises to mover faster that also means a faster update cycle for their next-generation applications.”

Image: The Update Framework