Posts

Preventing OWASP ASI04 Agentic Supply Chain Vulnerabilities in a .NET AI agent with SBOMs, dependency pinning, kill switches, and zero-trust architecture.

Preventing Agentic Supply Chain Vulnerabilities

Your AI Agent’s security is only as strong as its weakest dependency. Whatever packages you are using within your agents, you’re trusting that those packages that have been published haven’t been tampered with and that they don’t contain vulnerabilities. The same applies for every transitive dependency in your graph. In Biotrackr, I’m using a couple of packages that are still in preview, so there may be flaky APIs that could affect my agent’s security and reliability. Agentic Supply Chain Vulnerabilities are amplified in agents because AI frameworks are in preview (at time of writing). The technology is evolving rapidly, and these frameworks have deep dependency trees that are harder to audit. ...

Preventing OWASP ASI03 Identity and Privilege Abuse in a .NET AI agent with Entra Agent ID, RBAC, federated credentials, and per-action authorization.

Preventing Identity and Privilege Abuse in AI Agents

One of the challenges I faced developing an agent for my side project (Biotrackr) was how do I manage identity. Some AI Agents share the same service principals or managed identity with the application, which is used to authenticate API calls, access databases etc. This is an issue, because if the application has contributor access to a database, so does the agent. If the agent gets compromised, then the blast radius extends to the entire application’s permission scope. ...

Preventing OWASP ASI02 Tool Misuse in a .NET AI agent with date range limits, page size caps, read-only tools, egress controls, and managed identity.

Preventing Tool Misuse in AI Agents

In my side project (Biotrackr), I have a chat agent that I use to query my data using natural language. This agent has 12 tools that call APIs to retrieve data that provides context to a LLM. I’m using Claude as my LLM provider, so Claude will decide which tool to call, and with what parameters. Let’s pretend that we are bad actors trying to disrupt my agent. Say we decide to prompt inject the agent, and get it to perform an expensive query to retrieve 100 years of data (I’m not that old thankfully!) in an attempt to return a massive payload, consume thousands of Claude API tokens, and hammer my APIM gateway. ...

Preventing OWASP ASI05 Unexpected Code Execution in a .NET AI agent with input validation, non-root containers, static tool registration, and runtime monitoring.

Preventing Unexpected Code Execution in AI Agents

Can your AI Agent run code? If not, you probably don’t think that unexpected code execution applies to you. However, this goes a lot deeper than eval(). Input validation, container security, static analysis, and runtime monitoring all play a part here. Even an Agent with read-only capabilities and no code interpreter has an execution environment, tool parameters that flow from LLM output, and a CI/CD pipeline that needs to be secure. ...

Building a health data chat agent using Claude as the LLM backend with the Microsoft Agent Framework in .NET 10, featuring function tools, AG-UI streaming, and system prompt design.

Building a Health Data Chat Agent with Claude and the Microsoft Agent Framework

Using the Microsoft Agent Framework, we can build agents that interact with our data via chat capabilities. In my personal project, I decided to create a Chat API that allows me to query my data via a chat interface using an LLM. I wasn’t keen on using OpenAI, or even provisioning Microsoft Foundry to create a deployment so that I could use an LLM that they provide. I decided to just grab an API key for Anthropic so that I could use Claude, and hook it up into my agent so I wouldn’t have to worry about managing any Foundry infrastructure. ...