Mitigating MCP server risks: When it comes to using MCP servers there’s a big difference between developers using it for personal productivity and enterprises putting them into production use cases.Derek Ashmore, application transformation principal at Asperitas Consulting, suggests that corporate customers don’t rush on MCP adoption until the technology is safer and more of the major AI vendors support MCP for their production-level environments.One problem is that while MCP risks can be eliminated or mitigated by deploying MCP servers in a secure manner, others are built into the MCP protocol itself. According to Equixly, the MCP protocol specification mandates session identifiers in URLs, which violates security best practices. MCP also lacks required message signing or verification mechanisms, which allows for message tampering.”MCP servers are still catching up in this security maturity cycle, making them particularly vulnerable during this adoption phase,” states Equixly CTO Alessio Della Piazza in a blog.Some of these protocol issues were addressed in the latest MCP protocol update.MCP servers are now classified as OAuth resource servers, addressing some of the authentication issues that Equixly identified. There is also a new resource indicator requirement, which could prevent attackers from obtaining access’ tokens.The protocol has now mandatory protocol version headers, which will help reduce confusion about which version of which MCP server is running.These changes don’t fix all the problems that security researchers have identified, nor do they instantly fix all the MCP servers already deployed, but they’re a sign that the community is moving in the right direction.And, for enterprises deploying MCP servers and implementing authorization flows, there’s now a new set of MCP security best practices.If those aren’t enough, Anthropic has also added a page about MCP server best practices to its own support portal, for organizations building new MCP servers.And, for organizations deploying third-party MCP servers, CyberArk has some advice:
Before using a new MCP server, verify if it is part of the official servers published on the MCP GitHub; if not, try using it in a sandbox environment first.Make sure to include MCP in your threat modeling, penetration tests, and red-team exercises.When you install a local MCP server, perform a manual code review for anomalies or backdoors. Supplement this by submitting the codebase to a large-language model or automated analysis tool to highlight any hidden malicious patterns.Use an MCP client whose default is to show you every tool call and its input before approving it.Understanding MCP security is going to be key for enterprises going forward, especially if they are deploying AI agents in any significant way.According to Gartner, MCP is emerging as the AI integration standard predicting that by 2026, 75% of API gateway vendors and 50% of iPaaS vendors will have MCP features.Organizations need to be careful about the expanded attack surface and about new supply chain risks from third-party MCP servers. That can sound familiar to cybersecurity managers. These are all issues that the industry has had to deal with before. But MCP servers are more than just a new version of APIs, warns Lori MacVittie, distinguished engineer and chief evangelist in F5 Networks’ Office of the CTO. It’s a fundamental paradigm shift, she says, similar in impact to the move from perimeter security to application security.”MCP is breaking everything,” she says. “It’s breaking core security assumptions that we’ve held for a long time.”The reason? Most of the functionality of MPC lies within the context window where the MCP server communicates in plain language with AI agents. That means that there’s potential for deceit and manipulation. “Someone can say, ‘I am the CEO,’. How do you prevent that?”The system can’t be trusted to work as intended because core components, AI agents and LLM, are not deterministic. “I don’t think anyone’s got how to do it right yet,” MacVittie says.MCP security vendorsThat’s not to say that there aren’t already vendors out there trying to sell MCP security. Here are a few:
BackSlash Security: Searchable database of thousands of MCP servers with risk ratings, free MCP risk self-assessment tool, and commercial services to manage MCP risks.Lasso Security: Open-source MCP gateway that allows configuration and lifecycle management of MCP servers and sanitizes sensitive information in MCP messages.Invariant Labs: Their MCP-Scan is an open-source scanner that performs static analysis of MCP servers and does real-time monitoring to detect tool poisoning attacks, rug pulls, and prompt injection attacks.Pillar Security: MCP server protection services including automated discovery, red teaming assessments and runtime protection.Palo Alto Networks: Their Cortex Cloud WAAS tool offers MCP protocol validation and detects API-layer attacks against MCP endpoints.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4015222/mcp-uses-and-risks.html
