The Basics - Laws of Security

THIRTEEN STRATAGEMS OF SECURITY BRUTALISM

1. BE BRUTAL, NOT HOSTILE

Clarity is not cruelty. Interfaces should be sharp, honest, and uncompromising — but never contemptuous. Respect the user by showing them the truth, even when it’s unpleasant.

2. LET NOTHING BE IMPLICIT

Assumptions are attack surfaces. Every permission, access, and action must be deliberate. Force the user — and the system — to make their intentions explicit.

3. MAKE FAILURE LOUD

When things go wrong, they must do so obviously and immediately. Silent failure is a gift to attackers and a betrayal to users. Signal breakage like a fire alarm.

4. REJECT PLEASING MESSAGES

Do not design to soothe. A friendly UI that hides real danger is a traitor. Tell the user what’s really happening — even if it’s ugly.

5. BUILD FOR THE SKEPTIC, NOT THE FOOL

Assume the user is thoughtful but untrusting. Design systems that inform and empower, not ones that manipulate or oversimplify.

6. DENY BY DEFAULT

Access should be earned, not assumed. Say “no” until the system has a provable reason to say “yes.” The absence of a rule is not a rule.

7. FRICTION IS A FEATURE

Speed and smoothness are dangerous illusions. Use friction deliberately — to slow down attackers, to force thought, to demand intention.

8. DESIGN FOR FORENSICS

Every important action should leave a trace. Make systems auditable, debuggable, and accountable. Logs are not optional; they are a memory.

9. EXPOSE THE EDGES

Let users see where the system begins and ends. Interfaces should show seams, not hide them. If it feels safe, it must be safe — not just look it.

10. TRUST NOTHING INTERNALLY

No component, process, or assumption should be exempt from scrutiny. Compartmentalize aggressively. The inside of the system is not a safe zone.

11. COMPLEXITY IS BETRAYAL

Unnecessary layers and hidden behaviors breed security flaws. Simplicity is not minimalism — it is ruthlessly eliminating what does not serve defense.

12. TEACH THROUGH CONSEQUENCE

Warnings should be earned through risk, not tossed around idly. Let mistakes sting just enough to educate — not enough to destroy.

13. NEVER FAKE SAFETY

Don’t reassure. Don’t pad risk with soft language. Tell the user what they’re doing, what it costs, and how it can go wrong — then let them proceed with full knowledge.

These 13 stratagems were orignally posted on the Security Brutalist Blog.