Marvelous MLOps #31: Security-aware MLOps

Machine learning engineers and data scientists are not always aware of best security practices, which creates real risks. MLSecOps became a separate discipline that covers 5 specific areas:

• Supply Chain Vulnerability addresses the risks associated with the dependencies and components of ML systems, such as third-party dependencies, data sources, and infrastructure.
• Model Provenance refers to the traceability and reproducibility of ML systems, such as the ability to identify what code, data, model artifacts, infrastructure, and environment was used for certain model deployment.
• Governance, Risk, and Compliance focus on establishing procedures and controls to ensure ML systems comply with regulations and internal security standards.
• Trusted AI refers to the transparency and explainability of ML systems.
• Adversarial Machine Learning focuses on defending ML systems against adversarial attacks, such as input perturbations or poisoning attacks.

This article will focus on dangers coming from third-party dependencies, more specifically, Python packages, docker images, and external GitHub Actions.

Python security threats: pip install malware

It might not be obvious to everyone, but PyPI also contains malicious software. PyPI is an open package registry, and even though its security team does great work to take down malicious packages, they can’t catch every problem. If you see a security issue, you can always report it here: https://pypi.org/security/.

When it comes to security, every detail matters. PyPI contains malicious packages that rely on human errors:

• Misspelling: for example, library requests is legit. Libraries rrequests, requesys were malware.
• Versioning confusion (requests is legit, requests3 was malware)
• Naming confusion (python-dotenv is legit, dotenv-python was malware)

Read further on our Substack.