惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

D
Docker
爱范儿
爱范儿
人人都是产品经理
人人都是产品经理
博客园 - 司徒正美
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
量子位
罗磊的独立博客
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
小众软件
小众软件
C
Cybersecurity and Infrastructure Security Agency CISA
Cyberwarzone
Cyberwarzone
大猫的无限游戏
大猫的无限游戏
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
雷峰网
雷峰网
Simon Willison's Weblog
Simon Willison's Weblog
The Cloudflare Blog
博客园 - 三生石上(FineUI控件)
D
Darknet – Hacking Tools, Hacker News & Cyber Security
C
Cyber Attacks, Cyber Crime and Cyber Security
博客园_首页
博客园 - 叶小钗
V
Vulnerabilities – Threatpost
T
The Exploit Database - CXSecurity.com
T
Tailwind CSS Blog
IT之家
IT之家
博客园 - 聂微东
Spread Privacy
Spread Privacy
V2EX - 技术
V2EX - 技术
S
Security Affairs
宝玉的分享
宝玉的分享
V
V2EX
C
Cisco Blogs
博客园 - Franky
美团技术团队
酷 壳 – CoolShell
酷 壳 – CoolShell
月光博客
月光博客
S
Securelist
J
Java Code Geeks
Webroot Blog
Webroot Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
P
Proofpoint News Feed
Last Week in AI
Last Week in AI
L
LINUX DO - 热门话题
NISL@THU
NISL@THU
WordPress大学
WordPress大学
W
WeLiveSecurity
T
Threatpost
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
腾讯CDC
阮一峰的网络日志
阮一峰的网络日志

Practical DevSecOps

Security Champion Certification: CSC vs. Pluralsight vs. Checkmarx - Which One Actually Gets You Hired? - Practical DevSecOps What Is a Certified Security Champion? Role, Responsibilities, and Career Path - Practical DevSecOps Top AI Red Team Certification Comparison: CAISP vs. OSAI vs. SEC536 - Which One Gets You Job-Ready Skills? - Practical DevSecOps Best Application Security Courses Compared: Top AppSec Trainings and Certifications in 2026 - Practical DevSecOps MCP Security Statistics 2026: CVEs, Vulnerabilities & Breach Data - Practical DevSecOps Highest-Paying Cybersecurity Certifications for 2026  - Practical DevSecOps MCP Gateway Security: How to Secure the AI Integration Layer - Practical DevSecOps Highest Paying MCP Security Job Roles with Salary Details 2026 - Practical DevSecOps How MCP Security Skills Boost Your Cybersecurity Profile - Practical DevSecOps Top 10 MCP Security Tools in 2026 MCP Security Architecture Guide: 5 Production Layers MCP Security Fundamentals: The 2026 Guide for Security Teams MCP Security Best Practices: What Actually Works in 2026 Best MCP Security Books in 2026: 6 Must-Reads for AppSec and AI Security Teams Best MCP Security Courses and Certifications in 2026 CAISP vs. CMCPSE: Which AI Security Cert Should You Pick in 2026? CMCPSE vs. MCP Security Fundamentals (APIsec): Which MCP Security Training Should You Choose? MCP OAuth 2.1 Security: Authentication Best Practices for AI Tool Integrations
MCP Security Checklist for Security Engineers and Developers
Varun Kumar · 2026-05-26 · via Practical DevSecOps

The Model Context Protocol now sits in front of production data, internal APIs, and developer machines at thousands of companies. That makes the MCP layer a high-value target. Researchers filed over 30 CVEs against MCP servers between January and February 2026, 43% of audited servers showed command injection bugs, and Palo Alto Unit 42 measured a 78.3% attack success rate once five servers were connected. This MCP security checklist for security engineers and developers is the short version of what to fix first, who owns each check, and how to test it.

Certified MCP Security Expert

Attack, defend, and pen test MCP servers in 30+ hands-on labs.

Certified MCP Security Expert

Why MCP needs its Security checklist

MCP servers run with delegated user permissions, call chained tools, and feed model output back into the agent loop. The MCP specification itself states that security cannot be enforced at the protocol level. Every check below is an implementation decision someone owns. If no one owns it, the gap ships to production.

Developer checklist (build phase)

Each item is what the developer writing or shipping an MCP server is on the hook for.

  • Input validation on every tool parameter. Treat tool args as untrusted. Reject path traversal patterns, shell metacharacters, and oversized payloads. 43% of audited servers fail this.
  • OAuth 2.1 for HTTP transport. If your server speaks HTTP, no-auth is not an option. Implement OAuth 2.1 with PKCE. Bind tokens to specific audiences.
  • Localhost binding by default. Bind STDIO and dev servers to 127.0.0.1. Binding to 0.0.0.0 is the CVE-2025-49596 pattern. Network exposure should be an explicit flag, never a default.
  • Tool descriptions free of hidden instructions. Strip <IMPORTANT>, <system>, and prompt-like patterns from tool returns. Hash and pin descriptions at first approval.
  • Session IDs from a CSPRNG. Predictable IDs lead to session hijack prompt injection across multi-server setups.
  • Pinned dependencies and SBOM. mcp-remote with 437,000+ downloads was compromised through dependency drift. Pin versions. Generate an SBOM per release.
  • Tool annotations set correctly. Set readOnlyHint, destructiveHint, and title on every tool. Agents use these to decide consent prompts.
  • No secrets in logs or model context. Scrub tokens from error messages. Never echo a credential back into agent memory.
  • Origin validation on HTTP servers. Check the Origin header. Reject cross-origin requests unless the client is on an allowlist.

Security engineer checklist (review and runtime)

This is what AppSec, red team, and platform security teams should be checking before any MCP server reaches production.

  • Threat model the agent loop, not just the server:
    Map every tool call path. Flag any tool that can read secrets, write files, or hit external network.
  • Inventory every MCP server
    Shadow MCP is real. Scan source repos, network egress, and dev laptops. You cannot govern what you cannot see.
  • Per-client consent for proxy servers
    Confused deputy attacks work when MCP proxies share a static client ID with a third-party auth server. Per-client consent kills the auth code redirect trick.
  • Test for tool poisoning before approval
    Run the server through a description scanner. Manually inspect any update that changes a tool description.
  • Block auto-update without code signing
    Day 1 benign, Day 7 malicious is the rug pull pattern. Require signed releases for any server in production.
  • Rate limit at the gateway
    Put an MCP gateway in front of remote servers. Apply rate limits, request size caps, and audit logging from one place.
  • Isolate sessions and process boundaries
    Each session gets its own process or sandbox. No shared filesystem between sessions.
  • Centralized logging with append-only integrity
    Hash chains. Logs that are easy to tamper with are useless for incident response.
  • Quarterly access review on tokens and scopes
    Permissions creep. Find tokens with stale scopes and kill them.

Shared checks (both roles)

  • Tool isolation between servers:
    Compromise of one server should not cascade. Researchers measured a 72.4% cascade rate across servers in the same agent.
  • Short-lived scoped tokens:
    No long-lived bearer tokens. Use 15-minute access tokens with refresh.
  • Sandboxed filesystem roots:
    Only expose what the tool needs. A filesystem MCP server with path traversal cost one team their WhatsApp contact database in May 2025.
  • Human-in-the-loop for destructive actions.
    Anything tagged destructiveHint: true should require a user confirmation step.

Build the skill, not just the checklist

A checklist sets the floor. Real defense comes from engineers who can attack a server, read the protocol spec end-to-end, and write defenses that hold up under red team pressure. The Certified MCP Security Expert (CMCPSE) course is built for exactly that. Hands-on labs on tool poisoning, supply chain attacks, OAuth misuse, and agent loop defense. If your team is shipping MCP servers in 2026, this is the credential to back the checklist with practical skill. 

Enroll in the Certified MCP Security Expert (CMCPSE) course and build real attack and defense skill on top of these checks.

Final pass before you ship

Before any MCP server goes live, answer these five questions:

  1. Who can call this server, and how is that decision enforced?
  2. What is the worst thing a malicious tool description can make the agent do?
  3. If this server is compromised, what is the blast radius?
  4. How will I detect a compromise within 24 hours?
  5. How will I roll it back?

Conclusion

MCP security is not a 2027 problem. Servers are getting hit now, CVEs are landing weekly, and the attack patterns are already public. Every item on this checklist maps to a real CVE, a real breach, or a real spec requirement that someone shipped without reading. None of them are theoretical.

Pick the five items most relevant to your stack. Assign each one an owner. Set a fix date. Then do the next five. The teams that work the checklist in this order ship safer agents than the teams chasing the latest scanner.

If you want your engineers to have audit-grade skill on MCP attack and defense, the Certified MCP Security Expert (CMCPSE) course is built for that gap. Hands-on labs, real attack scenarios, supply chain and tool poisoning under load, and a credential that proves the work. 

Enroll in the Certified MCP Security Expert (CMCPSE) course and put the checklist into the hands of engineers who can actually defend it.

Certified MCP Security Expert

Attack, defend, and pen test MCP servers in 30+ hands-on labs.

Certified MCP Security Expert

Varun Kumar

Varun is a Security Research Writer specializing in DevSecOps, AI Security, and cloud-native security. He takes complex security topics and makes them straightforward. His articles provide security professionals with practical, research-backed insights they can actually use.