Agenten, aber sicher 2026

https://slides.com/johann-peterhartmann/

https://github.com/mayflower/

In the C World Everything is just
one

long

Memory.

  • Stack Smashing/Buffer Overflows
  • Heap Overflows
  • Format String Attacks
  • Use-After-Free
  • Integer Overflow
  • Heap Spraying
  • ....

In the C World Everything is just
one

long

Memory.

  • Stack Smashing/Buffer Overflows
  • Heap Overflows
  • Format String Attacks
  • Use-After-Free
  • Integer Overflow
  • Heap Spraying
  • ....

90er

In the Web Everything is just
one

long

String.

  • Cross-Site-Scripting
  • SQL-Injections
  • Remode Code Injections
  • XML Injection
  • HTTP Header Injection
  • ...

In the Web Everything is just
one

long

String.

  • Cross-Site-Scripting
  • SQL-Injections
  • Remode Code Injections
  • XML Injection
  • HTTP Header Injection
  • ...

2000er

  • C: approx. 15 years to repair at CPU, kernel and compiler level
     

  • Web: approx. 15 years to repair in Browser, WAFs, Frameworks

  • C: approx. 15 years to repair at CPU, kernel and compiler level
     

  • Web: approx. 15 years to repair in Browser, WAFs, Frameworks

In the LLM World Everything is just
one

Long

String.

<|im_start|>system
You are a helpful assistant.

<|im_end|>
<|im_start|>user 
What is 5+5?
<|im_end|>
<|im_start|>assistant 
The sum of 5 and 5 is 10. 
<|im_end|>

In the LLM World Everything is just
one

Long

String.

  • System Instructions
  • User Questions
  • Assistant Answers
  • Assistant Reasoning
  • Tool Use
  • Tool Feedback
  • Uploaded Documents
  • Data from RAG
  • Data from databases and services

OWASP Agentic Top 10 / 2026

A2A: JWS-Support optional

AIP: untergemogelt, IETF
ANS: DNS-Ähnlich

 

APIs
RESOURCEs
PROMPTs

Model Context Protocol
Tool Calling Standard
"USB for LLMs"

"The S in MCP is for Security"

Lokale MCPs, Skills, CLIs:   Eigentlich fahrlässig

https://slides.com/johann-peterhartmann/agentsecurity2026q1

http://github.com/kubernetes-sigs/agent-sandbox

https://github.com/obot-platform/obot

Agentic
Zero
Trust.

  1. NEVER TRUST, ALWAYS VERIFY
    Jeder Agent und jede Interaktion wird validiert.
     
  2. ASSUME BREACH
    Design als ob der Hacker schon da wäre
     
  3. LEAST PRIVILEGE
    Minimale Berechtigungen für spezifische Tasks
     
  4. EXPLICIT VERIFICATION
    Kontinuierliche Authentifikation & Authorisierung
     
  5. MICROSEGMENTATION
    Netzwerk/Identity-Isolation pro Agent
     
  6. ASSUME NO IMPLICIT TRUST
    Auch internen Agenten wird nicht getraut.

https://github.com/agentgateway/agentgateway

Guard
Rails

  • Kommerziell: 
    • Microsoft Prompt Shields
    • OpenAI Defenses
    • Amazon Bedrock 
  • Frei
    • Llama von Meta
    • Nemo von Nvidia
    • Gemini
    • Qwen

Links & Quellen

https://genai.owasp.org/initiatives/agentic-security-initiative/

https://slides.com/johann-peterhartmann/agentsecurity2026q1/