Merge pull request #270951 from cdpark/group3-secure-code-blackmist

JamesJBarnett · web-flow · commit 6bb795e1c80d · 2024-04-03T09:52:59.000-07:00
User Story 233117: Q&amp;M: March AzureML Freshness updates - Secure code
diff --git a/articles/machine-learning/concept-secure-code-best-practice.md b/articles/machine-learning/concept-secure-code-best-practice.md
@@ -1,70 +1,70 @@
 ---
 title: Secure code best practices
 titleSuffix: Azure Machine Learning
-description: Learn about potential security threats that may exist when developing for Azure Machine Learning, mitigations, and best practices.
+description: Learn about potential security threats that exist when developing for Azure Machine Learning, mitigations, and best practices.
 services: machine-learning
 ms.service: machine-learning
 ms.subservice: enterprise-readiness
 ms.topic: conceptual
 ms.author: larryfr
 author:  Blackmist
 ms.reviewer: deeikele
-ms.date: 03/11/2024
+ms.date: 04/02/2024
 ---
 
-# Secure code best practices with Azure Machine Learning
+# Best practices for secure code
 
-In Azure Machine Learning, you can upload files and content from any source into Azure. Content within Jupyter notebooks or scripts that you load can potentially read data from your sessions, access data within your organization in Azure, or run malicious processes on your behalf.
+In Azure Machine Learning, you can upload files and content from any source into Azure. Content within Jupyter notebooks or scripts that you load can potentially read data from your sessions, access sensitive data within your organization in Azure, or run malicious processes on your behalf.
 
 > [!IMPORTANT]
 > Only run notebooks or scripts from trusted sources. For example, where you or your security team have reviewed the notebook or script.
 
 ## Potential threats
 
-Development with Azure Machine Learning often involves web-based development environments (Notebooks & Azure Machine Learning studio). When you use web-based development environments, the potential threats are:
+Development with Azure Machine Learning often involves web-based development environments, such as notebooks or the Azure Machine Learning studio. When you use web-based development environments, the potential threats are:
 
-* [Cross site scripting (XSS)](https://owasp.org/www-community/attacks/xss/)
+* [Cross-site scripting (XSS)](https://owasp.org/www-community/attacks/xss/)
 
     * __DOM injection__: This type of attack can modify the UI displayed in the browser. For example, by changing how the run button behaves in a Jupyter Notebook.
-    * __Access token/cookies__: XSS attacks can also access local storage and browser cookies. Your Microsoft Entra authentication token is stored in local storage. An XSS attack could use this token to make API calls on your behalf, and then send the data to an external system or API.
+    * __Access token or cookies__: XSS attacks can also access local storage and browser cookies. Your Microsoft Entra authentication token is stored in local storage. An XSS attack could use this token to make API calls on your behalf, and then send the data to an external system or API.
 
-* [Cross site request forgery (CSRF)](https://owasp.org/www-community/attacks/csrf): This attack may replace the URL of an image or link with the URL of a malicious script or API. When the image is loaded, or link clicked, a call is made to the URL.
+* [Cross-site request forgery (CSRF)](https://owasp.org/www-community/attacks/csrf): This attack could replace the URL of an image or link with the URL of a malicious script or API. When the image is loaded, or link clicked, a call is made to the URL.
 
 ## Azure Machine Learning studio notebooks
 
-Azure Machine Learning studio provides a hosted notebook experience in your browser. Cells in a notebook can output HTML documents or fragments that contain malicious code.  When the output is rendered, the code can be executed.
+Azure Machine Learning studio provides a hosted notebook experience in your browser. Cells in a notebook can output HTML documents or fragments that contain malicious code. When the output is rendered, the code can be executed.
 
 __Possible threats__:
-* Cross site scripting (XSS)
-* Cross site request forgery (CSRF)
+* Cross-site scripting (XSS)
+* Cross-site request forgery (CSRF)
 
 __Mitigations provided by Azure Machine Learning__:
 * __Code cell output__ is sandboxed in an iframe. The iframe prevents the script from accessing the parent DOM, cookies, or session storage.
 * __Markdown cell__ contents are cleaned using the dompurify library. This blocks malicious scripts from executing with markdown cells are rendered.
-* __Image URL__ and __Markdown links__ are sent to a Microsoft owned endpoint, which checks for malicious values. If a malicious value is detected, the endpoint rejects the request.
+* __Image URL__ and __markdown links__ are sent to a Microsoft-owned endpoint, which checks for malicious values. If a malicious value is detected, the endpoint rejects the request.
 
 __Recommended actions__:
-* Verify that you trust the contents of files before uploading to studio. When uploading, you must acknowledge that you're uploading trusted files.
-* When selecting a link to open an external application, you'll be prompted to trust the application.
+* Verify that you trust the contents of files before uploading to the studio. You must acknowledge that you're uploading trusted files.
+* When selecting a link to open an external application, you're prompted to trust the application.
 
 ## Azure Machine Learning compute instance
 
-Azure Machine Learning compute instance hosts __Jupyter__ and __Jupyter Lab__. When you use either, cells in a notebook or code in can output HTML documents or fragments that contain malicious code. When the output is rendered, the code can be executed. The same threats also apply when you use __RStudio__ and __Posit Workbench (formerly RStudio Workbench)__ hosted on a compute instance.
+Azure Machine Learning compute instance hosts Jupyter and JupyterLab. When you use either, code inside notebook cells can output HTML documents or fragments that contain malicious code. When the output is rendered, the code can be executed. The same threats apply when you use RStudio or Posit Workbench (formerly RStudio Workbench) hosted on a compute instance.
 
 __Possible threats__:
-* Cross site scripting (XSS)
-* Cross site request forgery (CSRF)
+* Cross-site scripting (XSS)
+* Cross-site request forgery (CSRF)
 
 __Mitigations provided by Azure Machine Learning__:
-* None. Jupyter and Jupyter Lab are open-source applications hosted on the Azure Machine Learning compute instance.
+* None. Jupyter and JupyterLab are open-source applications hosted on the Azure Machine Learning compute instance.
 
 __Recommended actions__:
-* Verify that you trust the contents of files before uploading to studio. When uploading, you must acknowledge that you're uploading trusted files.
+* Verify that you trust the contents of files before uploading. You must acknowledge that you're uploading trusted files.
 
-## Report security issues or concerns 
+## Report security issues or concerns
 
 Azure Machine Learning is eligible under the Microsoft Azure Bounty Program. For more information, visit [https://www.microsoft.com/msrc/bounty-microsoft-azure](https://www.microsoft.com/msrc/bounty-microsoft-azure).
 
-## Next steps
+## Related content
 
-* [Enterprise security for Azure Machine Learning](concept-enterprise-security.md)
+* [Enterprise security and governance for Azure Machine Learning](concept-enterprise-security.md)
diff --git a/articles/machine-learning/toc.yml b/articles/machine-learning/toc.yml
@@ -1365,7 +1365,7 @@
       href: how-to-manage-optimize-cost.md
     - name: Monitor
       href: monitor-azure-machine-learning.md
-    - name: Secure coding
+    - name: Secure code
       displayName: security threat
       href: concept-secure-code-best-practice.md
     - name: Audit and manage
