Security culture · Best practices · No excuses
🤡

Don't Be A Clown

Clowns skip the basics. Professionals don't.

Every breach, leak, and outage has a clown behind it — someone who cut corners, ignored best practices, or thought "it won't happen to us." Don't be that person.

↓   scroll to learn the acts   ↓
The Acts

Classic Clown Moves
— and how to stop

ACT 01
🎪
Weak Passwords
"password123" is a punchline, not protection
DO THIS INSTEAD ▸
Use a password manager + strong unique passwords
Generate 20+ character random passwords for every account. Use a manager like Bitwarden or 1Password. Enable MFA everywhere. One clown moves the whole circus.
Identity & Access
ACT 02
🎠
No MFA
A password alone is a single locked door with no chain
DO THIS INSTEAD ▸
Enable multi-factor authentication everywhere
Use an authenticator app (TOTP) over SMS where possible. Hardware keys (YubiKey) for high-privilege accounts. MFA stops over 99% of account takeover attacks.
Authentication
ACT 03
🎭
Secrets in Code
Committing API keys and passwords directly in repos
DO THIS INSTEAD ▸
Use secret managers and environment variables
Never hardcode credentials. Use .env files locally (gitignored), and Vault / AWS Secrets Manager / GitHub Secrets in production. Rotate exposed keys immediately.
Secrets Management
ACT 04
🤹
Everything is Admin
Giving every user and service root or admin access
DO THIS INSTEAD ▸
Principle of least privilege
Grant only the permissions a user or service actually needs — nothing more. Use IAM roles, RBAC, and scoped service accounts. Review and prune access quarterly.
Access Control
ACT 05
🎈
No Patching
Running software years out of date "because it works"
DO THIS INSTEAD ▸
Automate patching and dependency updates
Enable auto-updates on OS and critical software. Use Dependabot or Renovate for dependencies. Have a defined SLA: critical CVEs patched within 24h, high within 7 days.
Vulnerability Management
ACT 06
🎶
Click Everything
Opening every link and attachment without thinking
DO THIS INSTEAD ▸
Think before you click — verify before you act
Check sender addresses carefully. Hover links before clicking. Confirm urgent requests via a second channel. If a message creates pressure or urgency — that's the red flag.
Phishing Awareness
The Manifesto

Security is not a
feature — it's a habit

Clowns treat security as an afterthought, a checkbox, or someone else's problem. It isn't. Every developer who ships without sanitising input, every admin who skips MFA, every user who reuses passwords — they're all wearing the same big red nose. Security isn't the job of one team. It's baked into everything: how you write code, how you manage access, how you respond at 2am when something breaks. Do it properly. Every time. No exceptions.

The Commandments

Do It Right —
Every Time

I

Encrypt everything in transit and at rest

TLS 1.2+ for all traffic. AES-256 for data at rest. No exceptions for "internal" services — lateral movement is real.

II

Log, monitor, and alert

Centralise logs (SIEM). Alert on anomalies. If you don't know what normal looks like, you won't notice when it changes. Review alerts — don't just collect them.

III

Test your backups — not just your backups

An untested backup is a belief system, not a safety net. Run restore drills. Ensure backups are offsite, versioned, and — ideally — immutable.

IV

Validate all input. Trust nothing.

Every form field, API parameter, and file upload is an attack surface. Sanitise and validate server-side. Parameterise queries. Never trust what the client sends.

V

Have a response plan before you need it

Define your incident response runbook in advance. Know who calls who. Know how to isolate, contain, and communicate. A breach with a plan is manageable. Without one, it's a circus.