Security

Preventing OWASP MCP01 Token Mismanagement and Secret Exposure in a .NET MCP server with Key Vault, telemetry redaction, and runtime injection.

Preventing Token Mismanagement and Secret Exposure in MCP Servers

When building an MCP server for my side project (Biotrackr), one of the first things I had to think about was how to manage secrets. The MCP server needs an APIM subscription key to call downstream health data APIs, and it also exposes an API key for clients connecting to it. That’s two secrets that need to be stored, distributed, and protected and if either one leaks, the blast radius could extend across the entire platform. ...

Overview of the OWASP Agentic Top 10 implemented in a .NET AI agent with practical security controls.

Securing AI Agents: Implementing the OWASP Top 10 for Agentic Applications to my Health Data Agent

The OWASP Top 10 for Agentic Applications (2026) identifies the most critical security risks facing AI agents. From prompt injection and tool misuse to identity abuse and cascading failures. The guidance is thorough, but what does it actually look like to implement these controls in a .NET agent? This series answers that question by walking through every applicable control from the OWASP Agentic Top 10, showing how each was implemented in Biotrackr, my personal health data tracker with a Claude-powered chat agent built on Microsoft Agent Framework, .NET 10, and Azure. ...

Preventing OWASP ASI08 Cascading Failures in a .NET AI agent with resilience handlers, structured error responses, caching, and distributed tracing.

Preventing Cascading Failures in AI Agents

Your AI agent depends on a chain of services. In my side project (Biotrackr), the chain looks like this: Claude API for reasoning, APIM for routing, downstream APIs for health data, and Cosmos DB for chat history. When one link in that chain fails, things can get ugly fast. Imagine this: Claude API returns a 429 (rate limited). The agent retries the same request. Each retry consumes more tokens. More 429s. The conversation times out. The user sees an error and submits again, doubling the load. A single rate limit hit has cascaded into a degraded experience, wasted tokens, and a frustrated user (in my case, just me screaming at my own agent 😅 For you however, that would be your customers!). ...

Preventing OWASP ASI09 Human-Agent Trust Exploitation in a .NET AI agent with medical disclaimers, tool-grounded responses, trust calibration, and confidence indicators.

Preventing Human-Agent Trust Exploitation in AI Agents

Your health data agent says: “Your sleep quality improved 23% this month compared to last month.” You adjust your bedtime routine, change your medication timing, or skip a doctor’s appointment because “the AI says I’m improving.” But what if the 23% was hallucinated? What if the agent compared 30 days to 28 days without normalising? What if one of the tool calls failed and the agent filled in the gap with a plausible-sounding number? ...

Preventing OWASP ASI07 Insecure Inter-Agent Communication in a .NET AI agent with mutual authentication, signed messages, anti-replay, typed contracts, and protocol pinning.

Preventing Insecure Inter-Agent Communication in AI Agents

Biotrackr is a single-agent system. One agent, twelve tools, one identity. That is an architectural choice that eliminates an entire vulnerability class Insecure Inter-Agent Communication (ASI07). But what happens when the system grows? Imagine Biotrackr evolves into a multi-agent platform: a Data Retrieval Agent that fetches health records, a Health Advisor Agent that provides wellness recommendations based on trends, and an Orchestrator Agent that coordinates them. Suddenly, agents are talking to each other, passing data, delegating tasks, sharing context. Every message between them is a potential attack surface. ...