When it comes to agents and MCPs, the interesting security discussion isn't that they need strong authentication and authorization, but what that authn/z story should look like, where does it get implemented, and who implements it. Dan Moore shares the useful parallels in securing APIs that should be brought into the world of MCPs -- especially because so many are still interacting with APIs.
Resources
Dan Moore is a senior director for CIAM Strategy and Identity Standards at FusionAuth, where he helps customers and community members create solutions, contributes to identity standards, and educates developers about auth and OAuth. He’s written, contributed to or edited 5 books, including “Letters To a New Developer” and “97 Things Every Cloud Engineer Should Know”. A former CTO, technical trainer, engineering manager and longtime developer, Dan has been writing software for (checks watch) over 25 years.
Security Weekly listeners save $100 on their RSAC 2026 All Access Pass! RSAC 2026 Conference will take place March 23rd to March 26th in San Francisco. To register using our discount code, please visit securityweekly.com/rsac26 and use the code 56U5SECWEEKLY! We hope to see you there!
Most security conferences talk about threats. Zero Trust World lets you attack them. From March 4th to 6th, 2026 in Orlando, Florida, this hands-on cybersecurity event features live hacking labs where you’ll break real environments, think like an adversary, and learn how attacks really work. You’ll also get expert sessions, real-world case studies, CPE credits, and networking with top practitioners. And yes — the Security Weekly team will be there too. Don’t miss it! Register today at securityweekly.com/ZTW.
Mike Shema
- Security incident on plone GitHub org with force pushes
- Someone Knows Bash Far Too Well, And We Love It (Ivanti EPMM Pre-Auth RCEs CVE-2026-1281 & CVE-2026-1340)
Be sure to check out the other research it calls attention to from NCC Group.
- Advancing Windows security: Disabling NTLM by default – Windows IT Pro Blog
Slightly sort of secure by deprecation. More secure when disabled by default. Secure by design when it's finally done with forever.
- Top 10 web hacking techniques of 2025 | PortSwigger Research
- Testing AI Agents on Web Security Challenges: What We Learned – Irregular
- New survey reveals how security researchers and journalists experience legal and criminal threats
Always finding good articles from the Risky Bulletin.
John Kinsella
- Do we need frameworks if we have GenAI coding agents?
I'm approaching this as a think piece, not a solution. The idea raised by the author (and both sides argued over at Hacker News) is if we can control a swarm of agents that are capable coders (work with me) - do we need to have the agents using frameworks like vuejs and angular, along with the baggage and potential bugs they bring, or should we instruct the agents to just create the bits needed for a given application?
