Software Engineering Daily: MCP Security at Wiz with Rami McCarthy

Release Date: July 10, 2025
Host: Gregor Van
Guest: Rami McCarthy, Principal Security Researcher at Wiz

1. Introduction to Rami McCarthy and Wiz

The episode kicks off with Gregor Van introducing Rami McCarthy, a seasoned security expert who recently joined Wiz, a leading cloud security platform. Wiz specializes in identifying and mitigating risks across various layers of cloud environments, including virtual machines, containers, and serverless configurations. The discussion promises insights into Rami's extensive background in security research, AI-related security concerns, MCP (Model Context Protocol) security, and broader industry challenges.

2. Rami’s Career Journey

Rami traces his path from studying security in university, influenced by the burgeoning cybersecurity programs funded by the NSA, to his initial foray into security consulting and penetration testing. This phase exposed him to a myriad of security programs and ignited his passion for research. At [02:13], he shares:

“I stumbled my way into security consulting and pen testing, which gave me the chance to see hundreds of different security programs and sparked a pattern of research that led me to a pure research role.”

Rami's journey includes pivotal roles at a health tech startup, where he built a security program from the ground up, and at Figma, where he focused on infrastructure and cloud security amidst the company's scaling challenges. His sabbatical, detailed at [05:32], was a transformative period where he authored 35 blog posts, participated in podcasts, and advised startups, ultimately reaffirming his dedication to deep security research.

3. Sabbatical and Research Contributions

During his sabbatical, Rami emphasized the importance of producing actionable security insights that transcend individual organizations. At [06:19], he explains:

“I published 35 blog posts, did a few podcasts, advised for startups, and dipped my toes into a portfolio of work across the industry.”

This period allowed him to explore niches in security that typically lack the bandwidth for in-depth investigation within single companies. His work aimed to provide practical guidance and foster a broader understanding of complex security issues.

4. AI and Secrets Leakage

Vibe Coding and Secret Leakage

The conversation transitions to AI's impact on security, particularly focusing on "vibe coding" and secrets leakage. Rami delves into how AI-generated code contributes significantly to the exposure of sensitive information. At [10:59], he states:

“The biggest new tailwind in secrets leakage is AI.”

He highlights that AI tools often fail to adhere to robust security practices, such as using plain text configuration files, which exacerbates the risk of secrets being inadvertently exposed. Rami emphasizes the necessity of integrating security context into AI-generated code to mitigate these vulnerabilities.

Impact of AI on Secret Leakage

Rami further elaborates on the vulnerabilities inherent in AI-generated code, noting that:

“AI generated code tends to have vulnerabilities. It means we need to treat it like code that requires a level of security scaffolding, suspenders, guardrails, support, and beyond.”

He advocates for proactive measures to enhance the security of AI-generated code, ensuring that it undergoes rigorous scrutiny similar to manually written code.

5. MCP Security

Overview of MCP and Its Security Risks

A significant portion of the discussion centers on the Model Context Protocol (MCP), a standard for connecting Large Language Model (LLM) applications to external data sources and tools. Rami raises concerns about the security implications of MCP adoption. At [16:55], he outlines:

“MCP security is a big topic, but useful when folks find a way to model it mentally compared to some other system or problem they understand.”

Local MCP Servers

Rami discusses the initial security risks associated with local MCP servers, which are small binaries downloaded from repositories like GitHub. He cautions against the proliferation of these servers without proper vetting:

“The biggest immediate risk is it's just a playground for both attackers and folks who maybe aren't malicious but don't have great practices on shipping local binaries to distribute something across a bunch of your employees.”

Remote MCP Servers and Registry Issues

Transitioning to remote MCP servers, Rami emphasizes the increased risk tied to vendor trust:

“Once we move to remote servers, a lot of the risk moves to the vendors who are providing you these remote servers.”

He underscores the absence of an official MCP registry, likening it to early package management systems before the establishment of trusted registries. Rami critiques efforts like Glamour AI’s registry, pointing out flaws such as inadequate verification processes:

“There is an Azure MCP server that is like very brightly Twitter style verified official that is definitely not from Microsoft, and that is a really bad trap.”

Common Threats: Typo Squatting, Impersonation, Rug Pulls, and Account Takeovers

Rami outlines four primary security threats related to MCP:

1. Typo Squatting: Misspelled server names can mislead users into downloading malicious binaries.
2. Impersonation: Attackers pose as legitimate organizations to distribute compromised MCP servers.
3. Rug Pulls: Malicious updates to previously trusted MCP servers can inject vulnerabilities.
4. Account Takeovers: Compromised accounts controlling MCP servers can spread malware.

At [29:50], Rami advises:

“You should work backwards from tools you use, organizations you trust, and especially... avoid taking installation links from social media directly.”

6. TJ Actions Supply Chain Attack

Rami shares his experience investigating the TJ Actions supply chain attack, a sophisticated multi-step compromise targeting Coinbase. At [34:41], he recounts:

“There was a multi-step attack where an attacker compromised a GitHub action used by Coinbase, leading to secret leaks in CI/CD pipelines.”

His role involved dissecting the attack chain, collaborating with other research teams, and coordinating disclosure with affected parties like Coinbase. Rami highlights the importance of:

• Collaborative Investigation: Working with multiple teams to trace the attack's origin.
• Responsible Disclosure: Prioritizing the affected parties' ability to respond before going public.

7. State of Cloud Security Reports

Rami critiques traditional cloud security reports, arguing that they often highlight issues without providing actionable insights. He points out the irony in vendors reporting that:

“If you are a cloud security vendor and your customers have publicly exposed sensitive data and aren’t fixing it, what value are you providing?”

Instead, he advocates for metrics that focus on:

• Customer Remediation: Measuring how effectively vendors help customers resolve critical security issues.
• Industry Progress: Tracking advancements like the adoption of IMDS v2 in AWS.

At [48:40], Rami summarizes his stance:

“There is no one golden metric, but caring about moving things towards invariance, caring about the critical issues which are often toxic combinations are what I leave folks with.”

8. Career Advice

Concluding the discussion, Rami offers invaluable advice to aspiring security professionals:

“Do not underestimate the compounding value of working in public. Start blogging, talking publicly, building your network... If you have learned something, write about it, share it, and pressure test ideas.”

He emphasizes that documenting and sharing insights not only enhances personal growth but also contributes to the broader security community by fostering transparency and collaborative learning.

Key Takeaways

• AI's Role in Security: AI tools, while powerful, can inadvertently increase the risk of secrets leakage if not properly secured.
• MCP Security Risks: Both local and remote MCP servers pose significant security threats, underscoring the need for trusted registries and stringent verification processes.
• Supply Chain Vulnerabilities: The TJ Actions attack exemplifies the complexities of supply chain security and the necessity for collaborative defense mechanisms.
• Effective Metrics: Cloud security evaluations should prioritize actionable remediation and industry-wide progress over superficial metrics.
• Public Engagement: Building a public presence through writing and networking is crucial for career advancement and contributing to the security field.

Notable Quotes

• Rami McCarthy on AI and Secrets Leakage:
  “The biggest new tailwind in secrets leakage is AI.” [10:59]

• Rami McCarthy on MCP Registry Flaws:
  “There is an Azure MCP server that is like very brightly Twitter style verified official that is definitely not from Microsoft, and that is a really bad trap.” [25:43]

• Rami McCarthy on Career Advice:
  “Do not underestimate the compounding value of working in public.” [52:31]

This episode offers a deep dive into contemporary security challenges intersecting with AI advancements and protocol implementations like MCP. Rami McCarthy's insights provide both strategic perspectives and practical advice for security professionals navigating an increasingly complex threat landscape.