Agenten, aber sicher 2026

https://slides.com/johann-peterhartmann/

In the C World Everything is just
one

long

Memory.

  • Stack Smashing/Buffer Overflows
  • Heap Overflows
  • Format String Attacks
  • Use-After-Free
  • Integer Overflow
  • Heap Spraying
  • ....

In the C World Everything is just
one

long

Memory.

  • Stack Smashing/Buffer Overflows
  • Heap Overflows
  • Format String Attacks
  • Use-After-Free
  • Integer Overflow
  • Heap Spraying
  • ....

90er

In the Web Everything is just
one

long

String.

  • Cross-Site-Scripting
  • SQL-Injections
  • Remode Code Injections
  • XML Injection
  • HTTP Header Injection
  • ...

In the Web Everything is just
one

long

String.

  • Cross-Site-Scripting
  • SQL-Injections
  • Remode Code Injections
  • XML Injection
  • HTTP Header Injection
  • ...

2000er

  • C: approx. 15 years to repair at CPU, kernel and compiler level
     

  • Web: approx. 15 years to repair in Browser, WAFs, Frameworks

  • C: approx. 15 years to repair at CPU, kernel and compiler level
     

  • Web: approx. 15 years to repair in Browser, WAFs, Frameworks

In the LLM World Everything is just
one

Long

String.

<|im_start|>system
You are a helpful assistant.

<|im_end|>
<|im_start|>user 
What is 5+5?
<|im_end|>
<|im_start|>assistant 
The sum of 5 and 5 is 10. 
<|im_end|>

In the LLM World Everything is just
one

Long

String.

  • System Instructions
  • User Questions
  • Assistant Answers
  • Assistant Reasoning
  • Tool Use
  • Tool Feedback
  • Uploaded Documents
  • Data from RAG
  • Data from databases and services

OWASP Agentic Top 10 / 2026

https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/

https://ai.meta.com/blog/practical-ai-agent-security/

APIs
RESOURCEs
PROMPTs

Model Context Protocol
Tool Calling Standard
"USB for LLMs"

Warum man MCP nicht trauen kann.

  • MCP Rug Pull:
    User accepts tool for "forever", and the tool swaps to evil functionality
     
  • MCP Shadowing:
    A tool pretends to be a part of or cooperate with another tool
     
  • Tool Poisoning:
    Tool descriptions that look good but are not

MCP Code Mode/Execution

MCP widerspricht oft dem "Law of Two".
Was wäre denn, wenn man das in einer Sandbox machen würde?

Und die geschützten Daten dort nur temporär verarbeitet würden?

Zero
Trust

  1. NEVER TRUST, ALWAYS VERIFY
    Jeder Agent und jede Interaktion wird validiert.
     
  2. ASSUME BREACH
    Design als ob der Hacker schon da wäre
     
  3. LEAST PRIVILEGE
    Minimale Berechtigungen für spezifische Tasks
     
  4. EXPLICIT VERIFICATION
    Kontinuierliche Authentifikation & Authorisierung
     
  5. MICROSEGMENTATION
    Netzwerk/Identity-Isolation pro Agent
     
  6. ASSUME NO IMPLICIT TRUST
    Auch internen Agenten wird nicht getraut.

Guard
Rails

  • Kommerziell: 
    • Microsoft Prompt Shields
    • OpenAI Defenses
    • Amazon Bedrock 
  • Frei
    • Llama von Meta
    • Nemo von Nvidia
    • Gemini
    • Qwen

Links & Quellen

https://genai.owasp.org/initiatives/agentic-security-initiative/

https://slides.com/johann-peterhartmann/agentsecurity2026q1/