explaingit

veeral-patel/how-to-secure-anything

10,218Audience · generalComplexity · 1/5Setup · easy

TLDR

A written guide to security engineering that teaches the same core principles, know your adversaries, minimize access, and design for failure, whether you are securing software, a building, or a casino.

Mindmap

mindmap
  root((how-to-secure-anything))
    Core Principles
      Minimize attack surface
      Least privilege
      Fail-safe defaults
    Process
      Identify adversaries
      Define security goals
      Choose controls
      Detect and respond
    Real-World Examples
      Software systems
      Physical buildings
      Banking and voting
    Resources
      Reading lists
      Academic papers
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Use the structured threat-modeling process to document who your adversaries are and what controls would stop them before building a new system.

USE CASE 2

Apply the least-privilege and fail-safe-defaults principles to audit access controls in an existing web application or API.

USE CASE 3

Use the curated reading list to build a systematic self-study plan for security engineering covering software, physical, and organizational systems.

Getting it running

Difficulty · easy Time to first run · 5min

In plain English

This repository is a written guide to security engineering, the practice of designing systems that are hard to attack or compromise. Unlike most security tutorials that focus on specific tools or code, this guide treats security as a general discipline that applies to anything from computer networks to physical buildings to casinos to medieval castles. The author's argument is that the underlying principles for making something secure are the same regardless of what you are trying to protect. The guide walks through a structured process. It starts with understanding who your adversaries are and what they are capable of, because a system that is secure against one type of attacker may be completely open to another. From there, it covers writing down your security goals in plain language, then choosing specific mechanisms and controls that meet those goals. The README distinguishes between preventing attacks, detecting them as they happen, and responding after the fact. Several core ideas run through the guide. One is minimizing attack surface, meaning the fewer ways in to a system, the fewer ways an attacker can exploit it. Another is giving each part of a system only the access it actually needs, and no more. The guide also covers fail-safe defaults, meaning a system should block access unless it has explicitly been granted, rather than allow access unless explicitly blocked. The repository includes notes on how specific real-world systems have been secured, covering topics like nuclear command and control, bank bookkeeping, web browsers, voting systems, prisons, museums, and zero-trust corporate networks. It also contains reading lists pointing to books and academic papers for readers who want to go deeper. This is a reference document, not a coding project. There is no software to install. The content is written in Markdown and lives in a single README with linked notes. The full README is longer than what was shown.

Copy-paste prompts

Prompt 1
Using the security engineering principles from how-to-secure-anything, help me write a threat model for my SaaS app, identifying likely adversaries and attack surfaces.
Prompt 2
Apply the minimize-attack-surface and fail-safe-defaults principles from this guide to review my API's authentication design and suggest improvements.
Prompt 3
Based on the detect-prevent-respond framework in how-to-secure-anything, create a security incident response checklist for a small startup.
Prompt 4
Help me write security requirements for a new feature using the goal-then-mechanism approach described in how-to-secure-anything.
Open on GitHub → Explain another repo

← veeral-patel on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.