{"id":14423,"date":"2025-07-10T07:17:01","date_gmt":"2025-07-10T07:17:01","guid":{"rendered":"https:\/\/newestek.com\/?p=14423"},"modified":"2025-07-10T07:17:01","modified_gmt":"2025-07-10T07:17:01","slug":"mcp-is-fueling-agentic-ai-and-introducing-new-security-risks","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14423","title":{"rendered":"MCP is fueling agentic AI \u2014 and introducing new security risks"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Model Context Protocol (MCP) was created in late 2024 by OpenAI\u2019s top competitor Anthropic. It was so good as a means for providing a standardized way to connect AI models to various data sources and tools that OpenAI adopted it as a standard, as have most other big AI players and all three hyperscalers.<\/p>\n

In just a few months, MCP has caught fire, with several thousand MCP servers now available from a wide range of vendors enabling AI assistants to connect to their data and services. And with agentic AI<\/a> increasingly seen as the future of IT, MCP \u2014 and related protocols ACP and Agent2Agent<\/a> \u2014 will only grow in use in the enterprise.<\/p>\n

But as organizations rushing into AI<\/a> are beginning to find out, innovations like MCP also come with significant risks.<\/p>\n

In May, work management vendor Asana released an MCP server to allow AI assistants to access the Asana Work Graph. Though the server, AI assistants could access an organization\u2019s Asana data, generate reports, and create and manage tasks, for example. One month later, security researchers found a bug<\/a> that could have allowed users to see data belonging to other users. That same month, Atlassian also released an MCP server. Security researchers found<\/a> a vulnerability allowing attackers to submit malicious support tickets and gain privileged access.<\/p>\n

The risk is so big that OWASP launched its MCP Top 10 project<\/a> the same day as the Atlassian attack report was published, though, as of this writing, the OWASP list is still empty.<\/p>\n

On that same week, an update to MCP was released<\/a>, addressing some of the vulnerabilities that security experts have been worrying about.<\/p>\n

Here is an in-depth look at MCP and what CISOs should know about its risks, mitigations, and emerging solutions for better securing the MCP servers on which their organization\u2019s AI agents increasingly depend.<\/p>\n

What is model context protocol (MCP)?<\/h2>\n

MCP is a kind of API, but instead of allowing one computer program to talk to another computer program in a standardized way, it allows an AI agent or chatbot to talk to databases, tools, and other resources.<\/p>\n

In the past, a company that wanted to pass data into an LLM would turn that data into a vector database and pass relevant context to the AI by adding the information to a prompt. This was called RAG, or retrieval augmented generation<\/a>, and required a vector database, and then a custom integration into the application\u2019s business logic.<\/p>\n

MCP servers turned this on its head.<\/p>\n

Instead of doing multiple integrations, a developer can just put an MCP server in front of the database, and an AI agent can just pull whatever data it needs, when it needs it, no additional programming necessary. Anthropic has already announced pre-built MCP servers for Atlassian, Cloudflare, Intercom, Linear, PayPal, Plaid, Sentry, Square, Wokato, Zapier, and Invideo. And that\u2019s for the consumer-friendly version of Claude. Developers using Claude Code can access any MCP server anywhere.<\/p>\n

OpenAI announced support for MCP server connections to Cloudflare\u2060, HubSpot\u2060, Intercom, PayPal, Plaid, Shopify\u2060, Stripe, Square, Twilio, Zapier, and more in late May. But developers can connect OpenAI\u2019s models to any MCP server anywhere by using OpenAI\u2019s Responses API.<\/p>\n

Companies can use MCP servers to expose their own data to their own AI processes, to expose their own data to external users, or to connect to public sources of information or functionality.<\/p>\n

All these carry significant risks to all parties involved, but the technology is so useful that many companies are moving ahead anyway.<\/p>\n

And it\u2019s not just tech firms. Yageo Group, a manufacturing company, is already looking at deploying the technology. Some of that is being done by recently acquired subsidiaries. \u201cAnd the parent company I\u2019m working at right now is looking at expanding governance around it,\u201d says Terrick Taylor, information security operations manager at Yageo.<\/p>\n

But he\u2019s worried about security implications, including data leakage, and with so many applications being built at so many different sites, it\u2019s hard to keep up. \u201cPretty soon my hair is going to turn gray.\u201d<\/p>\n

Mitigating MCP server risks<\/h2>\n

When it comes to using MCP servers there\u2019s a big difference between developers using it for personal productivity and enterprises putting them into production use cases.<\/p>\n

Derek Ashmore, application transformation principal at Asperitas Consulting, suggests that corporate customers don\u2019t rush on MCP adoption until the technology is safer and more of the major AI vendors support MCP for their production-level environments.<\/p>\n

One problem is that while MCP risks can be eliminated or mitigated by deploying MCP servers in a secure manner, others are built into the MCP protocol itself. According to Equixly, the MCP protocol specification mandates session identifiers in URLs, which violates security best practices. MCP also lacks required message signing or verification mechanisms, which allows for message tampering.<\/p>\n

\u201cMCP servers are still catching up in this security maturity cycle, making them particularly vulnerable during this adoption phase,\u201d states Equixly CTO Alessio Della Piazza in a blog<\/a>.<\/p>\n

Some of these protocol issues were addressed in the latest MCP protocol update<\/a>.<\/p>\n

MCP servers are now classified as OAuth resource servers, addressing some of the authentication issues that Equixly identified. There is also a new resource indicator requirement, which could prevent attackers from obtaining access\u2019 tokens.<\/p>\n

The protocol has now mandatory protocol version headers, which will help reduce confusion about which version of which MCP server is running.<\/p>\n

These changes<\/a> don\u2019t fix all the problems that security researchers have identified, nor do they instantly fix all the MCP servers already deployed, but they\u2019re a sign that the community is moving in the right direction.<\/p>\n

And, for enterprises deploying MCP servers and implementing authorization flows, there\u2019s now a new set of MCP security best practices<\/a>.<\/p>\n

If those aren\u2019t enough, Anthropic<\/a> has also added a page about MCP server best practices to its own support portal, for organizations building new MCP servers.<\/p>\n

And, for organizations deploying third-party MCP servers, CyberArk has some advice:<\/p>\n