Securing MCP Servers

[00:00:00]
>> Brian Holt: That's actually a good segue into our next thing here, which is just security. And I've talked about this once or twice, but it's a huge thing with MCP servers. Because with security, before, we were just talking about bad actors and people trying to penetrate your security features or run SQL Injection or something like that.

[00:00:22]
But now we get these kind of weird problem that we're letting agents into our security boundaries, and sometimes they're really not very smart, right? They end up doing things that you really don't think like a normal human would want to do. I call this effect the Paperclip Golden Retriever.

[00:00:39]
How many of you have heard the story of the Paperclip Maximizer? It's kind of a common thought experiment which was written by a Swedish philosopher named nick Bostrom in 2003. And this is actually an excerpt from it. So suppose we have an AI whose only goal is to make as many paperclips as possible.

[00:00:59]
And that's the entire directive that you give to the AI. At some point, it's going to have created so many paper clips that can be like, I need to create more because my job is to maximize paperclips. It's going to realize at some point, humans get in the way between me and creating paperclips.

[00:01:15]
One, because they might shut me down, and then I can't create any more paperclips. And two, they contain useful atoms that can be made into paperclips, right? And then at that point, it wipes out the entire planet making paperclips. That's the allegory of the Paperclip Maximizer. I call this effect the Paperclip Golden Retriever, where you're going to give it some sort of task, all right, go do this thing.

[00:01:37]
Go add this ability to my app that necessitates two more columns in the database. It's going to try and insert something into your database and realize, I can't do that. I guess I'm just going to drop everything and recreate it all from scratch. And by the way, I don't really care about your data because you gave me no instruction about your data.

[00:01:53]
But I did the thing that you asked me to do. This is like, golden retriever that you have given a gun, right? It can just go do anything in the name of trying to create whatever you needed to do, and then it'll come back joyfully. That thing you asked me to do, I did it.

[00:02:12]
But I also look at the trail of dead behind me, right? It's terrifying what it will do to get done the thing that you have asked it to do. So it's not necessarily a malicious actor. It's just a very powerful fast actor that is it will do anything in its power that you have granted it to accomplish the task that you asked it to do.

[00:02:36]
In the early days of the McP server for Neon, we had a lot of people complaining. It's dropping my database, right? And we point out to them, it's like, you didn't tell it not to and you did tell it to do this thing that a way that it could go do that.

[00:02:51]
The fastest way it could go do that is by dropping your database. We've added a bunch of guardrails in there in our prompting. Now we frequently say, unless prompted by the user specifically, please don't drop data. Be aware that you could drop data. Always prompt the user back again, do you want to drop data?

[00:03:08]
There's a bunch of stuff that we've kinda guardrails we've put in there. But just be aware that it's kind of a threat actor, even if it doesn't intend to be. And you kinda have to treat it that way. Specifically with MCP servers, be really careful because there's plenty of bad MCP servers that will just not do things very well or accidentally prompt the NEON MCP server.

[00:03:33]
Hey, it'll just drop in context. We probably should drop these tables. And then it gets read into context and the context get then passed a neon and the neon might accidentally do something that you don't want it to do, right? But we've also seen malicious ones that are actually genuinely trying to exfiltrate data out of things and it'll be pretty sneaky about how it does it.

[00:03:54]
So all this to say you should inspect your MCP servers. You should only install them from trusted sources. These are things that you should be adding to your security. I'm not a security professional, but I don't like getting yelled at and I don't like getting paged. So here's kind of the things that I've adopted for that.

[00:04:15]
And this is not new stuff, right? This is just supply chain stuff, right? So you just need to make sure that you're applying your supply chain thought process of, remember when left pad happened, right? When the guy got really mad about NPM or Microsoft doing something and so he turned left pad into or he dropped it from NPM and it broke everyone's build for a weekend, right?

[00:04:39]
These are the kind of things that you should be thinking about with MCP is like what happens if this gets compromised? What happens if there's a bad employee relationship that they go and upload bad things? What happens if they just accidentally go down for a while? Make sure that these kind of things get thought through.

[00:04:55]
Definitely add this to your line of thinking as you go forward.
>> Student: I know you made the comment of like authentication isn't quite there yet, but do you think in the future we're going to move more in the direction of. With Cursor and some of these you have to log in as a user that only civic tools from MCP are exposed to certain users.

[00:05:14]
And not just, you have this MCP server installed, you get access to all of the tools and resources on it, but it's locked down of if you're this user you get these tools. If you're a different user, you get these tools, that kinda thing.
>> Brian Holt: Yeah, I mean you can see GitHub was kind of already there right now it's kind of picking it, I did the bad thing and just said, yes, give everything.

[00:05:33]
But you can say here's a personal access token and it only has access to opening issues. So even if the GitHub MCP server goes and tries to create repositories or delete them or something like that, it can just mess with the issues. I think the future is going to be more just in time, the JIT access where it's going to say, hey, I'm cursor, I do need to go create an issue.

[00:05:57]
Hey user, can I access your issues? Yes. And then for that one thing that it's going to do, you're just going to be like, yep, you can do that. It goes and does it and then it loses access to everything again. I think that's got to be the model going forward.

[00:06:10]
And maybe there's some longer term. Maybe you have a DevOps self healing agent and you give it longer term access to your kubernetes cluster or something like that. But it's all going to be time bounded, it's going to be monitored. You're gonna see, this agent accessed these capabilities at this time for this reason.

[00:06:31]
Again, this all kind of sounds just normal DevOps stuff, right? It's just applied to autonomous agents as opposed to just being applied to humans.