Your Insecure MCP Server Won't Survive Production — Tun Shwe, Lenses

2026-04-08 · Source: AI Engineer · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy, Software Development & Engineering · Depth: Advanced, long

Summary

This session, led by Tin Shway and Jeremy Fronae of Lenses, addresses the critical security and design flaws prevalent in most MCP (Multi-tool Co-pilot) servers, particularly when transitioning from local development to production environments. It highlights that agents require interfaces optimized for their use cases, emphasizing that poor design directly correlates with poor security. The presentation details three key differences between human and agent interaction—discovery, iteration, and context—each casting a "security shadow" that can lead to tool poisoning, data leakage, and context injection vulnerabilities. Five secure agentic design principles are introduced: shrinking the attack surface, constraining inputs at the schema level, treating documentation as a defensive layer, returning only necessary data, and minimizing blast radius. The session also covers the "security cliff" encountered when deploying MCP servers to production, necessitating robust OAuth 2.1 implementations, and contrasts Dynamic Client Registration (DCR) with the more secure Client ID Metadata Document (CIMD) approach for client authentication.

Key takeaway

For AI Engineers and MLOps Engineers deploying agentic AI systems, prioritize secure MCP server design from the outset. Implement the five key design principles to mitigate common vulnerabilities before writing any OAuth code. Transitioning to production demands robust OAuth 2.1 flows, with CIMD offering superior security over DCR by verifying client identities and enabling selective client authorization, crucial for enterprise-grade compliance and data protection.

Key insights

Secure MCP server design requires agent-centric interfaces, robust authentication, and strict data governance to prevent vulnerabilities.

Principles

• Good MCP design is synonymous with good MCP security.
• Less exposed surface area reduces attack vectors.
• OAuth 2.1 with CIMD is preferred for enterprise-grade security.

Method

Design MCP servers by consolidating operations, constraining inputs via schema, using documentation defensively, stripping unnecessary data from responses, and scoping permissions at the tool/resource level.

In practice

• Use Pydantic for strict input validation in MCP tools.
• Implement CIMD for dynamic client registration.
• Apply OAuth scopes for session-level permissions.

Topics

• MCP Server Security
• Agentic AI Design
• OWASP MCP Top 10
• OAuth 2.1 Authorization
• Dynamic Client Registration

Best for: AI Security Engineer, AI Engineer, MLOps Engineer

Related on AIssential

• Enterprise-ready MCP // Jiquan Ngiam — AI agents and MCPs introduce powerful automation but also significant supply chain, data, and behavioral risks for enterprises.
• I Hacked an AI Customer Service Agent in 8 Seconds — AI agents are inherently vulnerable to known attacks, requiring dedicated security discipline beyond basic prompt engineering.
• Running Codex safely at OpenAI — Securely deploying AI coding agents requires robust controls, granular visibility, and a balance between productivity and risk management.
• Guide to Architect Secure AI Agents: Best Practices for Safety — Securing AI agents requires a DevSecOps approach, robust controls, and continuous monitoring to manage inherent risks.
• Weekly Dose #4 - From Smarter Models to Safer Systems — Control over AI systems is shifting from prompts to robust runtime environments and external security measures.
• 85% of enterprises are running AI agents. Only 5% trust them enough to ship. — Establishing a robust trust architecture is critical for scaling AI agent adoption from pilot to production in enterprises.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by AI Engineer.