whatisgithub

What is how-to-secure-anything?

veeral-patel/how-to-secure-anything — explained in plain English

Analysis updated 2026-06-24

10,218Audience · generalComplexity · 1/5Setup · easy

In one sentence

A written guide to security engineering that teaches the same core principles, know your adversaries, minimize access, and design for failure, whether you are securing software, a building, or a casino.

Mindmap

mindmap
  root((how-to-secure-anything))
    Core Principles
      Minimize attack surface
      Least privilege
      Fail-safe defaults
    Process
      Identify adversaries
      Define security goals
      Choose controls
      Detect and respond
    Real-World Examples
      Software systems
      Physical buildings
      Banking and voting
    Resources
      Reading lists
      Academic papers
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Use the structured threat-modeling process to document who your adversaries are and what controls would stop them before building a new system.

USE CASE 2

Apply the least-privilege and fail-safe-defaults principles to audit access controls in an existing web application or API.

USE CASE 3

Use the curated reading list to build a systematic self-study plan for security engineering covering software, physical, and organizational systems.

How does it compare?

veeral-patel/how-to-secure-anythingmilligram/milligramcefsharp/cefsharp
Stars10,21810,21710,223
LanguageHTMLC#
Setup difficultyeasyeasymoderate
Complexity1/51/53/5
Audiencegeneraldeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

So what is it?

This repository is a written guide to security engineering, the practice of designing systems that are hard to attack or compromise. Unlike most security tutorials that focus on specific tools or code, this guide treats security as a general discipline that applies to anything from computer networks to physical buildings to casinos to medieval castles. The author's argument is that the underlying principles for making something secure are the same regardless of what you are trying to protect. The guide walks through a structured process. It starts with understanding who your adversaries are and what they are capable of, because a system that is secure against one type of attacker may be completely open to another. From there, it covers writing down your security goals in plain language, then choosing specific mechanisms and controls that meet those goals. The README distinguishes between preventing attacks, detecting them as they happen, and responding after the fact. Several core ideas run through the guide. One is minimizing attack surface, meaning the fewer ways in to a system, the fewer ways an attacker can exploit it. Another is giving each part of a system only the access it actually needs, and no more. The guide also covers fail-safe defaults, meaning a system should block access unless it has explicitly been granted, rather than allow access unless explicitly blocked. The repository includes notes on how specific real-world systems have been secured, covering topics like nuclear command and control, bank bookkeeping, web browsers, voting systems, prisons, museums, and zero-trust corporate networks. It also contains reading lists pointing to books and academic papers for readers who want to go deeper. This is a reference document, not a coding project. There is no software to install. The content is written in Markdown and lives in a single README with linked notes. The full README is longer than what was shown.

Copy-paste prompts

Prompt 1
Using the security engineering principles from how-to-secure-anything, help me write a threat model for my SaaS app, identifying likely adversaries and attack surfaces.
Prompt 2
Apply the minimize-attack-surface and fail-safe-defaults principles from this guide to review my API's authentication design and suggest improvements.
Prompt 3
Based on the detect-prevent-respond framework in how-to-secure-anything, create a security incident response checklist for a small startup.
Prompt 4
Help me write security requirements for a new feature using the goal-then-mechanism approach described in how-to-secure-anything.

Frequently asked questions

What is how-to-secure-anything?

A written guide to security engineering that teaches the same core principles, know your adversaries, minimize access, and design for failure, whether you are securing software, a building, or a casino.

How hard is how-to-secure-anything to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is how-to-secure-anything for?

Mainly general.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.