The Laws of Security Brutalism

Security Brutalism demands simple, uncompromising laws that prioritize clarity and strict enforcement over nuance. In high-stakes environments, complexity breeds loopholes and errors ripe for exploitation. By focusing on foundational truths, this approach fosters discipline, predictability, and resilience. With that, here is a set of straightforward laws to begin a brutalist security model.

The Laws

1. If it’s not being used, it’s an attack surface.
2. Every dependency is a liability.
3. Elegant diagrams lie.
4. Complexity is camouflage for failure.
5. No consequences, no control.
6. If it needs training, it failed.
7. The attacker doesn’t care about your backlog.
8. Every exception becomes the new standard.
9. A good policy is one sentence long.
10. If you can’t break it, you can’t defend it.
11. Every dashboard lies. Trust the logs.
12. MFA is the seatbelt. The car still crashes.
13. What you expose, they will exploit.
14. Security at rest is security asleep.
15. Trust is a vulnerability.
16. No one reads your risk register.