Securing Model Context Protocol (MCP): Threat Modeling and Hardening the Tool & Context Supply Chain

Model Context Protocol (MCP) standardizes how LLM applications connect to external tools and data sources via MCP servers. That standardization is accelerating adoption, but it also expands security risk: tool execution, context retrieval, streaming updates, and “sampling” workflows create new attack pathways that don’t exist in plain chat apps.

Security

This session presents an attacker-minded walkthrough of MCP’s security failure mode: tool poisoning, server impersonation, prompt injection through tool metadata and retrieved content, unsafe streaming notifications, and authorization gaps that turn MCP servers into high-impact “confused deputies.”

We then map those risks to concrete, implementable mitigations: strong server identity and allowlisting, fine-grained authorization (scopes/claims), deterministic policy enforcement outside the model, tool capability minimization, execution sandboxing, audit-grade tracing, and safe handling of dynamic tool updates.

Attendees leave with a practical hardening checklist for MCP hosts/clients/servers and verification tests to prevent MCP integrations from becoming security nightmares.

Jim Manico

Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also an investor/advisor for KSOC, Nucleus Security, Signal Sciences, and BitDiscovery. Jim is a frequent speaker on secure software practices, is a Java Champion, and is the author of 'Iron-Clad Java - Building Secure Web Applications' from Oracle Press. Jim also volunteers for OWASP as the project co-lead for the OWASP ASVS and the OWASP Proactive Controls.

NDC { Security }

Securing Model Context Protocol (MCP): Threat Modeling and Hardening the Tool & Context Supply Chain

Jim Manico