Let's unpack something that even surprised me, as a non-engineer. I recently saw a report showing nearly 2,000 MCP servers wide open on the internet, with zero security controls. I understand that's like having a house with no locks, except this house holds all your valuable data and systems.
These servers lack basic security measures that should be standard practice in 2025.
Why This Matters More Than You Think
If you are a software engineer, you already know this. For the non-tech vibe coders, if you're building with AI tools, MCP is your portal to systems. Think of it as an API security issue software engineers care about, with higher stakes.
MCP servers aren't just another API endpoint, which is a specific place where outside programs can interact with your system. They serve as the bridge between AI models and real-world systems. When you connect an AI agent to your database, file system, or cloud services through MCP, you're essentially giving that AI the keys to your digital kingdom. Without tokens (digital keys), authentication (verifying user or program identity), or network protections, malicious actors can poke around, run commands, and even mess with your data.
Consider what this means in practical terms. This might allow anyone on the internet to:
- Query your databases
- Modify files on your servers
- Access internal APIs that should never see daylight
- Trigger workflows that could disrupt business operations
The attack surface is massive because MCPs are so powerful. That's what makes them useful, and also dangerous when left unprotected.
The Human Factor
We are all are rushing to implement AI capabilities without fully understanding the security implications. The excitement around AI automation has led to a "deploy first, secure later" mentality that's putting everyone at risk.
MCP is a relatively new technology, and best practices are still emerging. Documentation often focuses on functionality, leaving developers to determine their own protection measures. Under pressure to ship AI features quickly, security can easily slip through the cracks.
What We Should Demand as Builders (No Heavy Tech Speak)
This is not about writing code. It's about insisting you treat MCP deployments like any other sensitive API endpoint, actually, with even more caution. Here are the non-negotiable security basics:
Authentication that actually works. Do they require proper authentication? OAuth tokens (standard digital credentials for secure access), API keys with proper scoping (permissions set for limited use), or similar mechanisms should be mandatory.
Network boundaries that matter. Are they hidden behind networks that enforce limits? Your MCP servers shouldn't be directly accessible from the public internet. Use VPNs (virtual private networks), private networks, or, at a minimum, IP whitelisting (restricting system access to certain approved IP addresses).
Visibility into what's happening. Is there a log? Can someone see what was called and when? Comprehensive logging isn't just good practice; it's essential for detecting breaches and understanding system behavior.
Granular access control. Who has permission to use which functions? Not every user or system needs access to every MCP capability. Implement role-based access controls that follow the principle of least privilege.
Rate limiting and abuse prevention. Even authenticated users shouldn't be able to overwhelm your systems by implementing throttling and monitoring.
Honestly, I would need to vibe code all of the above into my app.
The Bigger Picture
MCPs are powerful, and I enjoy using them.......really.......I live and breathe using MCPs every single day. So I don’t want them to go away.
They let AI models interact with real-world systems, bridging artificial intelligence and practical business outcomes. But that power needs full control. Security isn't a feature you add later; it's the foundation for everything else.
If you are interested in reading the report, visit Dark Reading.
Is this old news to you, or has it got you thinking?
Top comments (2)
Great post Andre.
I too obsess over MCPs, almost too much.
I had not considered how often MVP servers are leave things wide open - Wild!
Hopefully more people read this and start treating MCPs with the care they need – so we can all continue to reap the benefits of MCPs.
Here's the article I saw that got me thinking - darkreading.com/vulnerabilities-th...