This security guide applies to the Data Attribute Recommendation Python SDK only. In addition to this document, please carefully consider the Security Guide for the Data Attribute Recommendation service itself.
This guide makes two recommendations to keep your usage of the SDK secure: * Keep your service keys secret * Keep your operating system, Python and dependencies up to date
Keep service keys secret¶
A service key for the Data Attribute Recommendation service gives full access to all data inside the service instances.
Consider the following security aspects:
A key holder can delete training data, remove models or deployments
A key holder can inspect DatasetSchemas and execute inference requests
A key holder can upload training data or cause high costs by deploying models and executing inference requests.
To prevent your key from falling into the wrong hands, note the following items:
Never copy and paste your service key into your Python code
Avoid committing your key to public source code hosting such as GitHub.
Avoid storing unencrypted keys. Instead, store service keys in an encrypted, secure storage.
There are python libraries available to easily and safely retrieve keys from your secure storage and use them in your project.
Modern operating systems typically come with a password manager built in, which can also be used in Python.
Keep the environment up to date¶
Keep your operating system and your Python installation always up to date with the latest security patches.
The Data Attribute Recommendation service uses HTTPS for communication.
With an outdated operating system or Python environment, it may be easier for a hypothetical man-in-the-middle attacker to find out the service key you are using or otherwise intercept or interfere with your communication with the Data Attribute Recommendation service.
To avoid this possibility, two properties should hold: * The SDK should authenticate the remote side of the connection * The connection itself should use high-quality cryptography and be secure
The SDK relies on the requests library to handle both aspects of the encrypted HTTPS communication. Note that the SDK will reject non-HTTPS URLs.
requests library uses the
certifi library as a source of root
CA certificates. These are used to validate the TLS certificate presented by the
certifi library can and should be updated independently, as recommended
by the requests documentation.
requests packages also verifies that the host name inside the
certificate matches the host name used inside the service key.
To actually establish the encrypted HTTPS connection,
requests uses the
urllib3 package will by default use the SSL implementation shipped with your
version of Python. Newer Python versions or even just the same version of Python linked
against an improved version of the underlying OpenSSL library can provide important
security fixes. Having an up-to-date system is thus crucial to having the most
cryptographically secure HTTPS connection.
From this rather technical discussion, the following takeaway: always apply security updates across your entire environment.
To update all Python packages used in your environment, consider
the combination of
pip list --outdated and
pip install --upgrade. Note
that the SDK itself only explicitly depends on
requests. The other packages
mentioned are installed as dependencies and must also be kept up to date.
The SDK itself can be expected to work with newer version of the
package, as expressed by the “greater-than” dependency declaration
For updates to your operating system or your Python stack, please contact the respective vendor.