New Protocol, New Threats: Navigating MCP’s Emerging Security Challenges

About the Session

This technical session will provide an overview of the emerging security vulnerabilities inherent in MCP servers, highlighting critical risks that engineering teams need to recognize and address. It will examine key security considerations across local and remote hosting environments—for instance, the direct control yet physical security challenges of local deployments, and the convenience paired with shared tenancy and third-party dependency risks in cloud deployments. Additionally, the talk will shed light on subtle protocol-level features, such as the seemingly harmless 'sampling' mechanism, which can inadvertently expose sensitive information and enable inference attacks or unauthorized data extraction if not properly secured. But don't panic yet! We will address these threats by exploring robust defenses like OAuth authentication reinforced by PKCE to prevent token interception, strict adherence to the principle of least privilege (PoLP) to tightly control data access, secure credential handling through secrets management platforms, and continuous security auditing using real-time dependency analysis tools. Together, these strategies provide a practical roadmap to fortify MCP servers against evolving security threats, and will provide methods to identify and close these security gaps effectively.

Speaker

David Melamed

CTO & Co-Founder of Jit, CloudSecurity CTO Office at Cisco