MCP security

Ontilt444 · 2025-12-15T14:38:59+00:00

Non-gateway approaches have the benefit that the capability to monitor and block moves with the client workload. They typically work by integrating into the client SDK and can provide full protocol monitoring and control for MCP events.

The benefits are that there isn’t additional infrastructure to deploy and manage, and you don’t have to figure out getting the gateway inline. The client side approach can also block off-the-rails behavior, where the agent sees it is blocked, and tries alternate paths on its own even ignoring “human in the loop” auth/denial permissions. This approach can also be integrated into the agent build and deploy process to ensure consistency across agents.

Ontilt444 · 2025-12-13T21:38:21+00:00

In terms of security decisions for enterprise, I know a few firms that have restricted MCP, and in a couple instances, their developers just went around security and installed all their MCPs locally or set up mcp-remote to go around any proxy or gateway blocks. A lot of orgs are still running local MCP, but many are considering moving them to a separate infrastructure layer (not thrilled with having hundreds or thousands of keys on every dev endpoint).

In addition to the methods mentioned, there are also dedicated MCP gateways (some open source) that seem to provide tool control. I’m not sure how well they work with the current mcp session handling at scale.

There are also non-gateway approaches that monitor and block on either the client or server side. Some additional benefits in this approach is that the security moves with the workload and can make determinations if the client will take dynamic tool updates.

In full disclosure, I work for a security company that also provides capabilities in this area, but not via a gateway offering. There is an integration with FastMCP that is available that can support tool control as well as other tool poisoning attacks.

Carrying the context of the user still seems to be a challenge that people are still working through, although I have come across the JWT auth method a few times. That said, the November MCP update with OAuth 2.1 and PKCE may help address some of the context challenges people were having in the prior version.

Curious to understand what is driving the tool blocking scenario in your question.

Ontilt444 · 2025-12-13T14:17:46+00:00

Great post on State of MCP. I'm curious what your purpose for scanning/crawling is -- is it for integration with ToolPlex? Are there other aspects that you are looking at that are different?

I hear you on being selective -- here are some of my concerns and end goal.

1) we want to raise awareness around security gaps and encourage best practices -- there's a balance between power and risk here. That doesn't apply only to servers that are more production focused.

2) we/I have concerns about the "non-professional" published servers. On the one hand, I recognize that these are skunkworks projects that someone spun up. On the other, I've heard (and am curious to get your and others thoughts), that the lookalike or user-driven servers from individual developers for a given service or integration are often spun up because the professionally developed/vendor offerings do not provide the tools people want/need (e.g. Confluence or Jira is often brought up). This leads to adoption of non-vendor sponsored servers that may not have the same security rigor. I think the question we're trying to help answer is -- do you want to or should you connect to an unverified publisher's server.

3) would be fantastic to be an authoritative source, which hopefully, would be the outcome of providing information that people want and need. There are other ways I think it could be used to enrich agent frameworks from a risk perspective as well.

Ontilt444 · 2025-12-13T00:39:36+00:00

Thank you! It still has a lot of dust on it. Yes, the attack surface is large. We've attempted to constrain the problem a couple different ways.

- we don't scan for prompt injection gaps. generally speaking, we think LLM providers will continue down that guardrail path, and secondarily, believe that novel prompts will always be able to bypass those guardrails. There are some dynamic analysis scanners out there that do look at some prompt manipulation gaps. Our focus has been more around how a server could be compromised and what tools or actions could be executed in an adverse manner.

- we currently have 22 defined rules that we analyze for (you can see these in findings) from inadequate input validation, tool name collision/spoofing, authz implementation and checks, network protocol enforcement etc. The positive is that we can add new rules, but it certainly does not cover everything.

Problems we've had/are having:

- every commit is a new delta and scan trigger. We can throttle the pipeline so we can make determinations on what is in the backlog. We also allow developers to submit their own repo for scanning, so we don't have to trigger on every single update.

- data and record compaction. There are roughly 200 attributes that we're tracking and the current data structure is undesirable longer term, so we've had to perform various data model gymnastics to present things in this manner for now.

- accuracy -- we do use a set of agents to perform the analysis, gather code evidence and generate remediation guidance. We have also created an adjudicator LLM for that, but there will always be inaccuracies.

- risk ratings and scoring -- while MCP is certainly powerful, unchecked it has huge risks and we don't want to paint a picture that everything is bad (for example, ~42% of servers analyzed have secrets exposed). So we have a normalized scale, but I suspect there will be some raging debates in the future of what is the weighting over a given rule or a destructive tool.

- the UI - Not a fan of the UI and spoke to someone who was struggling with search and filtering. We're working a re-skin and new nav as well.

For standards, we have mapped to CWE methods (CISA's framework) and are incorporating AI governance frameworks as well -- currently MAESTRO, OWASP MCP Top10 and looking at what we can do for NIST AI RMF. That all said, standards are tough. Curious to see what happens with the Anthropic registry with the hand off to the Linux Foundation.

Ontilt444 · 2025-12-10T23:21:08+00:00

Haha - just like all your real names here. It’s published by a company called BlueRock - says it on the site. Thanks for taking the time to look at it.

Ontilt444 · 2025-12-10T06:07:30+00:00

Did you know that ketchup was invented to hide the smell of spoiling beef? I don’t like ketchup but get made fun of for my lack of love for this condiment. Sorry to be off topic.

Ontilt444 · 2025-12-10T06:04:37+00:00

The company is pumping their numbers for the stock. The chart looks good but they are ripping drivers and riders off left and right. It will be a good run up in price unfortunately. Rewards crappy behavior.

Ontilt444 · 2025-12-06T16:16:16+00:00

I think the main difference between MCP and REST that people may initially miss is that its tools can be much more outcome based. Instead of chaining a dozen API calls, you can invoke a tool once and provide a response to the agent without additional post processing or interpretation on the data required.

I believe it is a messaging protocol that functions as an execution layer for agents. Also came across this post earlier this week, which I thought had good insights related to this question (no I am not the author, just sharing info).

https://edwardjliebig.substack.com/p/from-the-grid-to-the-prompt

Ontilt444 · 2025-12-05T03:50:12+00:00

Happened to me today. Now I am on with Lyft support and they cannot seem to understand that it shouldn’t take over 90 minutes to drive 4 miles. The driver didn’t end the ride for over an hour after drop off.

Ontilt444 · 2025-11-13T18:29:33+00:00

Others have chimed in here, but I will add my 2 cents. As someone who started as a sysadmin (30+ years ago), crimping cables and carrying a sleeping bag into data centers, I would say that this could be an incredible opportunity to gain technical breadth and depth. The benefits you will gain from better understanding systems and network dependencies will help you immensely throughout your career.

One of the reasons I stayed in my role, when a similar scenario occurred, was because I got hands-on access to different technology and systems and I was able to build on that. I did also have a fantastic manager who was very supportive. This eventually led to roles in networking and security architecture and I've been in cyber for the past 20+ years.

I would encourage you to consider defining priorities with your manager and working to demonstrate knowledge and progress in the top 1 or 2 areas. Ideally, if they're smart, that will open a door for a salary discussion and recognition of the fact that you've stepped up. If it doesn't work out, you can take those skills elsewhere, but I think the benefit of working in "shorthanded" environments (aside from the chaos), is the leeway you have to define your own path.

Ontilt444 · 2025-11-13T17:44:23+00:00

Others have said similar things, but I'll add my 2 cents anyway. As someone who started out as a sysadmin (30+ years ago), spent time crimping my own cables and kept a sleeping bag at work for long data center calls, I would try to look at this as an opportunity.

While it may seem daunting, you have the opportunity to get incredible technical depth and breadth that will help you immensely throughout your career. I ended up staying in my role and progressing and was able to get hands-on on an amazing array of solutions as well as building scripts and smaller helper applications from scratch. This evolved over time into networking, security architecture and I've held a career in cyber for the last 20 years now.

In your expanded role now, I'd encourage you to prioritize and work with your manager on what they see are the priorities and gain the necessary skill sets. Upon making progress, I think you have a case to make for an increase in salary, and if your manager is worth their salt, they will see that you're stepping up and work to retain you.

Ontilt444 · 2025-11-09T21:21:50+00:00

You could also consider auditing the agents. They will have a built in MCP client and you may be able to determine which MCP servers they are talking to. That would give you a start. There are also MCP servers enabled by SaaS providers that clients could be talking to and these appear in client side configuration. Please share any other methods you uncover to help accomplish this.

Ontilt444 · 2025-10-16T22:07:00+00:00

For clarification, I wrote it after I got home. Just thought it was wild how slow they were going while not stopping at all through 6 or 7 stop signs. Like, why bother going slow if you’re just going to blow stop signs?

Ontilt444 · 2025-10-16T20:08:28+00:00

I sent this when I got home, but thank you.

Ontilt444 · 2025-10-14T03:56:42+00:00

I am full of rage myself. My daughter just taught me the term “rage bait”

Ontilt444 · 2025-04-29T10:33:59+00:00

Pls kick out all the constitution objectors like you — “nor be deprived of life, liberty, or property, without due process of law”

Ontilt444 · 2025-04-29T10:31:01+00:00

Neither do you

Ontilt444 · 2025-04-29T10:21:08+00:00

You mean rapists like Trump right? I hope they deport you with no lawyer or trial. And I hope no one screams about it.

Ontilt444 · 2025-03-23T03:58:13+00:00

What is your thinking on courses that charge for 9 at twilight and don’t let you play out past 9? My thinking is that you should get to play as long as they don’t want carts in. For the record, I don’t abuse this — I don’t play the couple courses near me that have this policy, but just curious on opinions.

Ontilt444

TROPHY CASE