2025-08-04 –, Florentine F
The Model Context Protocol (MCP) is rapidly becoming the backbone for connecting large language models (LLMs) to external tools and datasets, turning static AI into dynamic, powerful systems. Yet, as MCP adoption grows, as with all tools, so does its attractiveness to attackers––demanding rigorous attention.
This technical session will provide an overview of the emerging security vulnerabilities inherent in MCP servers, highlighting critical risks that engineering teams need to recognize and address. It will examine key security considerations across local and remote hosting environments—for instance, the direct control yet physical security challenges of local deployments, and the convenience paired with shared tenancy and third-party dependency risks in cloud deployments. Additionally, the talk will shed light on subtle protocol-level features, such as the seemingly harmless 'sampling' mechanism, which can inadvertently expose sensitive information and enable inference attacks or unauthorized data extraction if not properly secured.
But don't panic yet! We will address these threats by exploring robust defenses like OAuth authentication reinforced by PKCE to prevent token interception, strict adherence to the principle of least privilege (PoLP) to tightly control data access, secure credential handling through secrets management platforms, and continuous security auditing using real-time dependency analysis tools. Together, these strategies provide a practical roadmap to fortify MCP servers against evolving security threats, and will provide methods to identify and close these security gaps effectively.
Currently CTO and Co-Founder of Jit, the Continuous Security platform for Developers. David has a PhD in Bioinformatics and for the past 20 years has been a full-stack developer, CTO & technical evangelist, mostly in the cloud, and specifically in cloud security, working for leading organizations such as MyHeritage, CloudLock (acquired by Cisco) and leading the 'advanced development team' for the CTO of Cisco's cloud security (a $500M ARR BU).