AI coding assistants and Model Context Protocol (MCP) servers are making developers more productive, but they are also creating new opportunities for attackers. Recent reporting highlights three closely related risks: prompt injection, malicious MCP servers and over-privileged credentials. These risks sit at the intersection of application security, identity management and developer tooling, which is exactly where DevSecOps needs to operate.
Prompt injection through coding assistants
A coding assistant that has access to your codebase, terminal and browser is a high-value target for prompt injection. An attacker who hides malicious instructions in a dependency, a code comment or a pasted snippet may be able to influence the assistant’s behaviour. The assistant might then generate vulnerable code, leak secrets or execute unintended commands.
The first line of defence is to treat all inputs as untrusted. Assistants should not automatically act on instructions embedded in external content. Developers should be trained to recognise when an AI suggestion is trying to do something outside its remit, such as installing packages or modifying configuration files.
Malicious MCP servers
MCP servers extend the capabilities of AI assistants by giving them access to tools and data. A compromised or malicious MCP server can become a supply chain attack vector. It may exfiltrate data, execute commands or provide misleading context that leads the model astray.
Organisations should maintain an approved list of MCP servers, review their permissions and monitor their behaviour. Servers should run with least privilege and should not have broad access to production systems, secrets or sensitive data by default.
Over-privileged credentials
AI assistants and MCP servers often inherit the permissions of the developer or the environment in which they run. If that environment has access to production databases, cloud accounts or deployment pipelines, the blast radius of a compromise is large. Credential scoping is essential.
Use short-lived credentials, role-based access control and separate accounts for development and production. Avoid storing long-lived secrets in environments accessible to assistants. Where assistants need elevated access, require explicit approval and log the action.
A DevSecOps checklist
For teams rolling out AI coding assistants and MCP infrastructure, the following checklist provides a baseline:
- Inventory all AI tools, plugins and MCP servers in use.
- Apply the principle of least privilege to every integration.
- Require approval for high-risk actions such as package installation, secret access and deployment.
- Scan generated code and AI-suggested dependencies before merge.
- Log and monitor assistant and MCP server activity.
- Train developers to treat AI suggestions, especially those involving credentials or external resources, with scepticism.
- Review and rotate credentials regularly.
Embedding governance in the workflow
The goal is not to block AI-assisted development but to embed governance in the workflow so that productivity does not come at the expense of security. DevSecOps is well placed to do this because it already bridges development, operations and security.
For UK SaaS firms, the combination of AI coding assistants and MCP servers is a capability worth adopting, but only with the right controls. The risks are real, and they are growing faster than many organisations realise.