Making OAuth Scale Securely for MCPs - Aaron Parecki - ASW #360

Disney Gone Wild, Docker, AIs, Passkeys, Gogs, React2Shell, Notepad++, Josh Marpet, and More Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-537

This week in our technical segment, you will learn how to build a MITM proxy device using Kali Linux, some custom scripts, and a Raspberry PI! In the security news: Hacking Smart BBQ Probes China uses us as a proxy LOLPROX and living off the Hypervisor Are we overreating to React4Shell? Prolific Spyware vendors EDR evaluations and tin foil hats Compiling to Bash! How e-waste became a conference badge Overflows via underflows and reporting to CERT Users are using AI to complete mandatory infosec training! AI in your IDE is not a good idea Cybercrime is on the rise, and its the kids AI can replace humans in power plants Will AI prompt injection ever go away? To use a VPN or to not use a VPN, that is the question Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-904

Organizations rely heavily on Salesforce to manage vasts amounts of sensitive data, but hidden security risks lurk beneath the surface. Misconfigurations, excessive user permissions, and unmonitored third party integrations can expose this data to attackers. How do I secure this data? Justin Hazard, Principal Security Architect at AutoRABIT, joins Business Security Weekly to discuss the security challenges of Salesforce. Justin will discuss how proactive oversight and a strong security posture in Salesforce requires additional capabilities, including: Continuous monitoring of your Salesforce environment, Strict access controls of Salesforce users, and Automated backup of sensitive data. Think your data in Salesforce is safe and secure, think again. This segment is sponsored by AutoRABIT. Visit https://securityweekly.com/autorabit to learn more about them! In the leadership and communications segment, Boards Have a Digital Duty of Care, The CISO’s greatest risk? Department leaders quitting, The 15 Habits of Highly Empathetic People, and more! Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-425

We've got: Hypnotoad, AI Galore, Storm-0249, DocuSign, Broadside, Goldblade, Ships at Sea, Sora, Aaran Leyland, and More on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-536

The MCP standard gave rise to dreams of interconnected agents and nightmares of what those interconnected agents would do with unfettered access to APIs, data, and local systems. Aaron Parecki explains how OAuth's new Client ID Metadata Documents spec provides more security for MCPs and the reasons why the behavior and design of MCPs required a new spec like this. Segment resources: https://aaronparecki.com/2025/11/25/1/mcp-authorization-spec-update https://www.ietf.org/archive/id/draft-ietf-oauth-client-id-metadata-document-00.html https://oauth.net/cross-app-access/ https://oauth.net/2/oauth-best-practice/ Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-360

Interview with Danny Jenkins: How badly configured are your endpoints? Misconfigurations are one of the most overlooked areas in terms of security program quick wins. Everyone freaks out about vulnerabilities, patching, and exploits. Meanwhile, security tools are misconfigured. Thousands of unused software packages increase remediation effort and attack surface. The most basic misconfigurations lead to breaches. Threatlocker spotted this opportunity and have extended their agent-based product to increase attention on these common issues. This segment is sponsored by ThreatLocker. Visit https://securityweekly.com/threatlocker to learn more! Interview with Wendy Nather: Recalibrating how we think about AI AI and the case for toxic anthropomorphism. When Wendy coined this phrase on Mastodon a few weeks ago, I knew that she had hit on something important and that we needed to discuss it on this podcast. We were lucky to find some time for Wendy to come on the show! Quick note: while this was not a sponsored segment, 1Password IS currently a sponsor of this podcast. That doesn’t really change the conversation any, except that I have to be nice to Wendy. But why would anyone ever be mean to Wendy??? Weekly Enterprise News Finally, in the enterprise security news, Dozens of funding rounds over the past two weeks Windows is becoming an Agentic OS? We talk about what that actually means. Some great free tools the latest cyber insurance trends we analyze some recent breaches the stop hacklore campaign some essays worth reading and a how a whole country dropped off the internet, because someone forgot to pay a GoDaddy invoice All that and more, on this episode of Enterprise Security Weekly. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-436

Toilet Cams, North Korea, Brickstorm, MCP, India, React2Shell, Proxmox, Metaverse, Josh Marpet, and More, on the Security Weekly News. Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-535

This week we welcome Ed Skoudis to talk about the holiday hack challenge (https://sans.org/HolidayHack). In the security news: Oh Asus Dashcam botnets Weird CVEs being issued CodeRED, but not the worm Free IP checking Internet space junk and IoT Decade old Linux kernel vulnerabilities Breaking out of Claude code Malicious LLMs Hacker on a plan gets 7 years Putting passwords into random websites NPM supply chains strike again LLMs will never be intelligent Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-903

While many businesses rely on Microsoft 365, Salesforce and Google Workspace security features, critical blind spots remain—the recent series of high profile SaaS breaches demonstrate this. So what should you do? Mike Puglia, General Manager of Kaseya Labs, joins Business Security Weekly to discuss the risks in SaaS applications. In this segment, Mike will explore how bad actors are focusing their attacks on SaaS applications, hijacking tokens and how misconfigured integrations are used to bypass traditional defenses. Mike will also discuss how IT leaders can rethink protecting their essential SaaS business applications with tools that go beyond endpoint and MFA strategies to secure the modern user. This segment is sponsored by Kaseya 365 User. Visit https://securityweekly.com/k365 to learn more about them! In the leadership and communications segment, The rise of the chief trust officer: Where does the CISO fit?, When Another Company’s Crisis Hurts Your Reputation, Effective Workplace Communication Tips, and more!   Visit https://www.securityweekly.com/bsw for all the latest episodes! Show Notes: https://securityweekly.com/bsw-424

AI semantics, Calendly, GreyNoise, Teams, Schmaltz, India, Antigravity, Scada, Aaran Leyland, and More... Visit https://www.securityweekly.com/swn for all the latest episodes! Show Notes: https://securityweekly.com/swn-534