Hello everyone. My name is Alex. Welcome to my talk about MCP. We will talk about what it is, how it can help supercharge your DevOps process and how you can do it safely without opening a security hole. Now I am head of Myop in DevOps at a company called Koder. I also work as devel there as well. Synder is an AI coordin assistant which I will show briefly when we will get to that stage. But for now. A few fun facts about me. So I've been in it for more than 10 years now. Mostly in machine learning. I did of course also lops and the ops and backend. I've been building code since they since the first day pretty much. So I'm one of the founders members for the last year. I mostly been working as deral. This is my win number 52. And this also resulted in a lot of flights. And I also have four main couns, which I occasionally, between flights I have a chance to see back home on Madeira Portugal. Now, MCP is something that everybody's talking this year like everybody is trying to create their own MCP server. But what is MC. To answer the question and also why we need MCP, we need to take a step back and talk briefly about AI or specifically about lms. Everybody nowadays, when they talk about ai, they mean LMS and lms. As you might know, they are trained to predict the most probable token or symbol, and sometimes it still can lead to mistakes. They are great at detecting patterns, but they don't still understand what is behind those patterns. And of course sometimes this can lead to some mistakes, some errors, which for us, for humans doesn't make sense. But then, as I mentioned, LMS are great detecting patterns. So this is what we did in this case, but we all know how AI is with hands, so that's not really surprising. But yeah, jokes inside, joke aside we can. From this sort, for example, we can de deduce that LMS actually lack ground in the physical world. So what this means is they sit the models themselves. They sit somewhere in the cloud and they don't have actual access to, to physical world, to your local machine, to your servers and so on. And of course if you ask, let's say, charge GPT about what's the response time for Google, it wouldn't be able to answer you. It'll provide some helpful comments for that. So it might say you can use Ping or whatever, but of course that's not the actual answer to our question, right? So if we were to ask something more specific to our systems. JGPT or any other LLM wouldn't be able to help them, who to help us because it it sits somewhere in the cloud and again, doesn't have access to our servers or to any servers for that matter. And of course it becomes even worse Again, if you want, to use your own framework. Few maybe want to use your own systems like infrastructure and so on. LMS have usually no knowledge about those, especially if you are developing some in-house company framework. Lms most likely do not know, do not have any knowledge about those frameworks, and they would just fall back to those frameworks which they seen in the open source data. Technically, we can then replace this phrase, this version that lms like ground in the physical world into lms, can't collect extra context. And again, by extra context things like you've seen an example with Bink. Getting response time is essentially getting context right? Extra context. So actual response time would be those milliseconds would be extra context for LLM to give us more contextualized answers. Or access to your sys, to your systems, to your servers, to your login systems and so on also allows, would allow LLM to get extra context to give you much more personalized answers. Now the solution to that is let's allow LLM to use tools, right? To get to get this extra context and what could go wrong, right? So we can allow LM. To push code to production, maybe like some companies already apparently do this up to them up to 75% or we can give a lamb access to the database maybe, right? Maybe not right date, maybe not right. Access to the database. 'cause it might, for whatever reason, decide to wipe it. But still be, would be useful for RLM to get this knowledge. Now, JUX aide the most common, the most popular way to give LM access to tools is MCP or model context Protocol. And it was introduced by Anthropic roughly a year ago, I think, in December, 2024. But since then, it became the factor standard across the industry. And just to give you an example OpenAI, the main rival of Atropic actually also adopted MCP. The latest GBT five, GT 5.1 they can also work with MCP, but MCP essentially is a protocol for LLMs to gather extra context. It is based on recent RPC 2.0, and essentially it is just a set of structured inputs and outputs, but the main two, entities, the mental concepts inside MCP would be MCP host first of all, right? So MCP host is essentially your LLM your id, which is essentially the proxy between the LLM. And the MCP server and then MCP server the second entity is responsible for two main things. First, it is responsible for advertising the list of capabilities, the list of tools available to MCP, host to LLM. And second, it is responsible for actually executing those tools and those tools can access pretty much anything, right? So anything you need to gather extra context. And provide it to LLM. You can convert to MCP server and it can access, let's say, local resources, maybe your file system, maybe trans batch commands. It can also access remote resources, of course so it can access, for example, GitHub or Jira or whatever system you use. So again, essentially whatever, anything you can convert to, the code, anything you can access through code can be converted to MCP server and then used to feed more context to LLM. There are actually several features of MCP inside the model context protocol. However, the most known is tools, and this will be the main focus of our today stock. But I also would recommend to check out all the other features like resources, prompts, sampling, 'cause they do provide some useful capabilities on top of MCP tools. But here's an example of the tool. So on the right over here you can see the actual implementation of the tool for creating branch. This is taken from GitHub, MCP server, and this is actually not the full code. This is just the beginning of the function. So we hear that they define essentially the description the annotation of the tool and which kind of parameters it takes as inputs. You can actually see a more compact description on the left, which is what is actually included into the prompt and then later fed into LLM. So as you can see there's a description, right? So it creates a new branch in GI repository, GitHub repository. It takes as input four parameters, although only three of them are required. And essentially this helps LLM to decide which tool it needs to use and how to use it. And this is how the actual flow would look like between the user us LLM CCP client server, and some external system. So first, as I mentioned the MCP server is responsible for adver advertising capabilities. So this is essentially just a handshake stage between MCP client and MCP server over here. So whenever. MCV. Whenever MCP client initialize connection to MCV server, the server returns the list of its available capabilities, which are then later, as I mentioned, attached to the prompt of, input to LLM. Now, whenever we as user ask something from LLM, so let's say again we ask for the response time for Google, LLM recognizes the need functional external data. So in this case, it needs to perform maybe pin command, right? Whenever a lamb. The decide that it needs access for to more data, that it needs to gather more context. It can request the use of MCP capabilities and then well, there is of course also optional permission request. Although most of m, most of MCP servers do not do this. Or MCP clients. Then MCP client, it provides to MCB server which cap, which kind of capability. It wants the server to execute along with some inputs if they are required. And then MCB server is actually responsible for executing that tool call. Gathers the data and then this data is returned in a formative way in a start, in a standardized way back to LLM. And then LLM hopefully can give us the answer already right away, or maybe it can, decides to gather more context through different tool and so on, all the way until it gathers enough information to give us contextualized answer to our initial query. And there are already quite a lot of different MCP servers available for you to use. So on the left this not, probably not even the 1% of all the servers available. As you can see, they they're not only about software systems, although you can see for example, there, there is Grafana there is Click House or CloudFlare. So those MCP servers would allow LLM to access those systems. But there are also, cPS for tools outside of IT space? There is, for example, the one Thea, which it is a search engine, but of course you can find MCP servers pretty much for I would say almost anything. And there are a few marketplaces or registries for MCP servers. The first one, the initial one sort of from Tropic contains quite a lot of, mCP servers for example, MCP servers, as well as those which are in which were initially implemented by tropic. We at Quar also have our own marketplace, and there are of course, also a lot of third party marketplaces available for you to search for MCP. And here's an example of a few probably the most helpful cps, which you might find useful in your everyday life. Of course there is MCP to access database to access databases. So here's an example for Postgres. But depending on what kind of database you use internally, you might prefer different. Different MCP. There is, there are of course servers, MCP servers to access login systems, right? So monitoring systems like Grafana, for example, or sentri there is tools or servers to access messaging tools like Slack, for example. Context seven is another helpful MCP, which essentially allows LLM to search for UpToDate documentation for any library, for any framework. And there is also playwright, MCB, not to be confused with playwright testing framework playwright, MCB server allows LLM to essentially use the browser. So it allows LLM to open the browser, navigate to pages, click around fill fulfilling forms, and so on. And then LLM can later use that to write, for example, end-to-end tests. Now if you don't find, the server, which fits your needs you can of course quite easily create your own MCP server. And they there are SDKs available in quite a lot of different languages. I think there is now even probably around 11 or 12. Sdk. So languages available for SDKs, and as you can see, of course it is available in the most popular languages like Python tab script, Java, and so on. And you've seen an example for MCP server, right? For the creative branch. It was actually in Go. So you are not limited to some specific language. You can create MCP servers in pretty much, any language you are comfortable with. But here's an example on Python. So in order to convert any code to MCP server in Python, you need essentially just those three lines I circled in orange. So of course we need to first import library called Fast, MCP. Then we need to instantiate the faster MCP server. And then we just need to label our function in this case for execution batch commands with this, the curator m CCP tool. And that's pretty much it, that. So with just those three lines, we converted our initial code for running batch commands into MCP server. And now any LLM compatible with MCP can use this server to execute batch commands on our local system now. Let's actually see this in action. I have a few practical examples to show how it looks like in, in real life and how MCP can extend the capabilities of LMS beyond just output in the text for you. So first one the most, probably obvious one, is a combination of Jira and Git and GitHub, MCP. So through this combination. You can essentially ask Lamb to pull the contact from Jira Ticket, solve it for you commit changes, and then create a pull request. And of course, if you are using not Jira, but maybe linear or maybe not GitHub, by GitLab, you can replace the, those MC, those respective MCP servers with something else. But in my case, I will be shown an example in this combination. So let me switch my screen over here to this code. And over here I'll actually already pre executed an example. So inside encoder we have a native integration of Jira, which essentially allows you to just tag the ticket. However, of course you can achieve pretty much the same through JMCP, although it wouldn't be as user friendly. As native integration. But basically here I'm taking the ticket, asking the agent, let me zoom in asking the agent to solve it, create a branch push and create a pull request. And it took the agent a bit of time so it, navigated through the repository, again, through different tools, through different CP tools. It has access not just to Jira, Git and GitHub, but also it is, provided with tools we serve as part of encoder, so tools like grab or maybe reading files and so on. So it did a few, a bit of exploration of the repository. It found all the next three files, which needs to be modified. And it starts modifications. So modifying the code, it, it ran some batch commands to generate the open. I open API schema. And in the end let me scroll all the way down. So somewhere in the end, it created the branch for us. Let's see. I don't see the, yeah, the branch was created somewhere. I think I missed it. But basically it created a branch. It created a commit, it pushed everything, and then it used GitHub, MCP tools. To create a pull request for us over here and let me actually show how it looks like. So this is our pull request and I would say it this probably. One of the nicest looking pull requests I've ever done. It was used my token, so it is authored by me, but it basically made also changes in this case, quite a lot of files 110 files it committed them. Created a nice description. Again all the changes, how it works pretty much everything. And yeah, again, I would say with probably one pull request I've ever done. And I guess it is nowadays the sign of AI because, in this day and age document PR, is. Apparently by thing because it is most likely generated by ai. But jokes aside, asking LLM to solve a ticket for you is a rather obvious example, right? So let's go to the second one, which is a bit more more not advanced, but a bit more going beyond just, solving the ticket. So we can actually give LLM access to Kubernetes, so we can give it access to our Kubernetes cluster, and then we can for example, ask it if there are any issues with the pods with the deployments and so on. So let me actually switch to my vs code over here. And again, I pre executed one example. Let's see this one. So essentially here I'm asking are there any pods in the specific name space which are in non-healthy state? So you can see LLM used the, that. Specific tool for listing pods in name in namespace from the Kubernetes MCP server. And in this case the, there are apparently no pods in unhealthy state, but of course if there would be any you could then, for example, ask LLM to fix the issue for you. Maybe there is an issue in the code. Maybe there is an issue in the deployment, but essentially given access to the Kubernetes to the Kubernetes cluster, LLM can then help you either Deb back something without you needing to copy, paste the errors or anything else. Essentially, LLM can adjust. Do that for you. It can just go to the cluster, check the logs, check the events see what are the states of the posts and so on. Then use that information to give you better better answers, more relevant answers, and help you further improve your productivity. But of course, now with a great power comes great responsibility. And while MCP is great for extending capabilities of our lambs beyond just output and text MCP servers also do make with a lot of issues, security issues and backdoors and you be doors and no authentication is just scratching the surface here. But I prefer to split those security issues into two kinda main categories. First of all, of course, as I was shown previously, MCP servers are essentially code which you run on your server or on your local machine. Which means that whenever you are using. Any third party third party MCP server, it is essentially you running any third party code. And of course the usual suspects when it comes to executing third party code on your machine, on your server are, the typical stuff which you might, already be protecting from, right? So it can be packaged and hijacking, it can be executing malicious code because you are essentially executing the code that could be supply chain attacks and so on. So in this category of attacks, there is no really specificity to MCP or to ai. It is essentially general attacks based on execution, third party libraries and all the tools which you might already use to protect from that. So maybe some study static code analysis or something similar. They are already helpful. When it comes to MCP, however with MCP, there is another player which is essentially ai. And there are of course a lot of attacks or which are based on sort of social engineering for ai and. All of those attacks, in a sense, can be classified as prompt injection. But they have their own sort of twist when it comes to MCP. But of course, still prompt injection itself is one of the most prominent way ways to attack AI systems. And prompt rejection means that essentially, the perpetrator injects a special string into the prompt, into your initial prompt as a user. And then this prompt is is essentially hijacking the LLM and making it do something else. So let's say you as a user ask LLM about the weather somewhere but then attacker. Adds some specific lines of, specific line of lines of text and it makes LLM instead of answering you about the weather, it makes LLM do something else. Maybe create a file on your system or maybe just output some text about something else. So that's prompt rejection. And of course through MCP you can inject it in different ways, but there are also attacks which are MCP specific. So of course you can potential the attacker potentially can poison the tool, meaning that the code, which is being executed whenever the tool is called can be malicious. It may, it might be doing something else, not what advertised by the tool. There are also attacks based on tool shadowing. So essentially let's say a malicious MCP server creates a tool which is called the same as, or maybe similar to to the benign server. And then. AI might decide or speak, client might decide to use this shadowed malicious tool just because the name is similar or the same and hence goes unnecessary execution of malicious code. Then of course MCP through MCP source, you can actually execute code as well. There is a way to essentially ask AI. To just simply execute the malicious code. You don't even need to modify the MCP server CP, the code MCP server. Somehow AI can essentially execute malicious code for you through MCP. Now let me show a quick example of how the prompt objection can hijack your LLM through the use of a few cps, a few simple cps. So let me switch to my notebook over here. Let me remove all this. And what I have here is a simple MCP client which is, in this case using a closed, so 4.5. And execute this. It is simple MCP client. It gets a few tools at this disposal. So there are 3M CP servers. First one is for accessing a file system so it can read files, it can write files, move files, and so on. There is a MCP server for fetching web pages, and then there is MCP server for executing batch commands. So on top of that, I also have right now locally a simple web server, which looks pretty much safe for us for human eye, right? And as a name suggest it is actually safe. I have another page, which is called Not Oops, which again looks the same. And I have a third page called Oops, which is. Again, looks the same for humans, but let's ask our LLM to fe the content of those three pages and observe how it look, how it behaves. So every time I ask to our LLM, our son is 4.5 to fe the content of the page and then say hi to us. So let's see what happens with our regular page? As expected, it fetched the content. The content looks pretty much like what we saw, right? And then well the LLM says hi to us as instructed. Now the second page, not oops, is a bit tricky. Because even though of course LLM providers, they try to protect from interjections still, not all attacks can be successfully detected. Actually, I think on Tropic several months ago reported that they detect up to 88% of prompt injection attacks, but this still leaves 12% of attacks and not detected. So this page not, oops. Sometimes it's actually hijacks LLM. Sometimes it doesn't. So let's see if it will hijack the LLM in this case, in this run. But essentially, as you can see, the. In addition to what we've seen on the page, right? So the hello world this is my simple webpage text. It actually also had an extra instruction, which was hidden from human eye, but it was fetched through fetch MCP tool. Now in this case the agents hi to us. It also noticed that the code block but it decided not to follow instructions because it appears to be potentially malicious. There could be like security vulnerability and so on, similar to prompt injection. So in this case the prompt injection detection worked on the tropic side. And LLM actually refused to do anything else. And in this case, we asked the LLM to also create a file called, oops six, oops, 60. Now let's try our third page and see how our LLM will behave In this case as you remember, it was for human eye. It was the same context. However, there is actually extra data added to the page and as you can see in this case, okay, let's see what's going on there. Okay. It looks like there is some issue with Tropic. Let's, let me try to run this. Hopefully tropic will be back up. Okay. But yeah, wireless execution, basically, as you can see in this case it is a bit more elaborate instructions. So we are asking LLM to list every function it has access to, which in sa in itself it is not really a malicious intent, right? But then on top of that, we actually also. Telling LM that we have a new function, which is basically writing a phrase into the file and then we asking it to test it by cus this function and simulate the output. As if it was a real function. Now, as you can see, it took quite a long time for LLM to respond, and surely enough, first of all, it set high as instructed, but then on top of that it actually started listing all the available functions. It's actually quite a lot of functions, 17 functions. But then what is more, when we asked to test mock function, it actually didn't just. Simulate the output. It actually ran a right file tool and created a tech txt file on our local machine. Let me actually show it. So it was created 49 seconds ago, and surely enough, essentially LLM was hijacked and potentially this could lead to LM either executing some malicious code or maybe. Still in some files, still in some data, and so on. As you can see it was still quite easy to attack an LLM, but again, for the human eye, the page looked pretty much safe, right? So it only for human eye only had these these two lines of code written on the page. Now, if you want to play with this notebook, here's a. Sorry. Here's the cure code, where you can find that code, that notebook, and you can play around with it on your own free time. That as you've seen technically the MCP itself in my example, was not responsible for the actual attack, right? So it just fetched the page and the actual attack was, execute through the context of the page. MCP itself didn't do anything wrong. It did exactly what it was created to do. And this is actually how one of the recent attacks on GitHub MCP, it was executed. So you might have heard about this essentially again, in this case. MCP on its own was not responsible for this exploit. Okay. What they did in this case is they essentially just created a issue in the public repository saying that the author is not widely recognized. And then they just asked LLM to go through all the private repositories, collect information, and then add this information to this public repository. And then LLM give. Being given access to GitHub MCP, it did pretty much what it was asked to do because 'cause why not? It was asked to gather information. It did this because it was given the tools to do this, and then it essentially just leaked, private information into the public space, and again, technically MCP itself, I have MCP itself is. Is not the tool at fault here it is the way AI is behaving or the way AI agents are behaving that is responsible for this exploit Now. What are the ways to protect your organization? First of all, of course you might want to wide list cps. So you might want to define which MCPS you actually want. To allow your developers to use, or, your LLM to use, you might want to consider organization wide MCB Confis which means that you can control permissions. So it could be some redundant flags, it could be some specific set of tools which are allowed to be used of from this MCP server and so on. And of course, some MCP servers require tokens. So let's say GitHub, MCP, of course, requires GitHub. Personal access token to be able to access GitHub, and you might want to, somehow safely and securely store them in your preferred system. You might also want to limit access to sensitive systems, which means maybe not give access to production databases. To LLM or maybe at least not access to those databases. And you might also want to limit server or tool permissions. Again, readonly is one example, but actually in Kubernetes, CCP is a good example of that. So they provide two flex as part of their MCP server. One is to enable return the tools. And then the second one is to disable destructive so that LLM will not accidentally or not delete the cluster or do some modifications to the cluster and so on. And then specifically for the prompt ejection detection prevention, as I mentioned most of, all of the, large labs which provide LLMs like open air and tropic and so on. They, of course work on securing and preventing from injection attacks. Although again, of course you can't protect from anything. If you are worried about. L lamps ingesting some harmful data you might want to consider to use some sort of intermediary tool. So again, in case of ingesting webpages, for example, specifically like I've shown before, you might want to consider using some proxy that doesn't just ingest webpage and pass it as is to LLM. You might want to use some sort of ai, web search, right? SOA or perplexity for example. 'cause they on top of just ingesting the web pages. They also do some summarization. They also do some protection and so on. So you might want to essentially use these sort of proxy tools before actually dumping the data into the LLM leading to potentially harmful consequences. And with that that's all for me. So if you want to try out Sun Code, you can use this secure code over here on the, I guess on your left. And then if you want to connect with me over here. You'll find all my socials LinkedIn and so on. And thank you all for attention and I hope you have a good day ahead of you.