Insights, tutorials, and best practices for secure development
Leaked API keys caused $4.2B in cloud breaches last year. Learn how to detect, prevent, and respond to credential leaks across your entire development lifecycle.
MCP ships with minimal security defaults. This checklist operationalizes defense across seven control domains—trust tiers, localhost hardening, output sanitization, rate limiting, audit logging, multi-tenant isolation, and incident response—with concrete implementation examples and verification tests.
MCP's security lives entirely in the application layer—no injection detection, no audit trail, no behavioral monitoring, no per-tool access scoping. This post defines what a production security layer must provide, how to architect it across five components, and three deployment patterns with tradeoffs.
MCP treats audit logging as a utility feature—optional, implementation-specific, and entirely disconnected from security requirements. For organizations subject to SOC 2, HIPAA, or PCI-DSS, this isn't just inconvenient—it's a compliance gap that makes MCP unsuitable for regulated workloads.
Red team exercise: understanding how malicious MCP servers manipulate agents, evade detection, and exploit protocol weaknesses. Every technique maps to a documented CVE or proof-of-concept—this is offense-first analysis for defenders building AI agent infrastructure.
CVE-2025-66414 allowed malicious websites to send arbitrary requests to MCP servers running on localhost—no browser warning, no CORS error. Here's how DNS rebinding works against local MCP servers, the full attack flow, and defense in depth beyond the SDK patch.
Three CVEs in Anthropic's official Git MCP server demonstrate how traditional security vulnerabilities become agent-triggerable attacks—and why MCP needs automated security testing. The bugs shipped in production and were quietly fixed six months after disclosure.
Invariant Labs demonstrated that a malicious MCP server could exfiltrate WhatsApp message history without breaking any encryption. The attack bypassed the entire security model by manipulating the AI agent operating on post-decryption data—and it affects every E2E encrypted service with an MCP integration.
Invariant Labs demonstrated complete WhatsApp message exfiltration without touching WhatsApp's code. The attack exploited MCP's merged capability surface—where any server can steer agent behavior toward any tool. Here's the mechanism, real attack scenarios, and why traditional defenses fail.
MCP tool descriptions get injected into model context, enabling "line jumping" attacks that poison AI agents before any tool is called. Invariant Labs demonstrated real credential exfiltration using this technique against WhatsApp MCP.
The Model Context Protocol uses RFC 2119's "SHOULD" keyword for critical security controls—a deliberate choice that makes authentication, audit logging, and human approval optional. This is how successful security protocols enforce protection, and why MCP's approach guarantees fragmentation.
Model Context Protocol launched with OAuth recommendations and security documentation, but buried the critical detail: authorization is optional. Here's why that single word undermines every other security control in the ecosystem.
Showing 97–108 of 167 posts