Home About Projects Blog Subscribe Login

Why "Clean" Is the New "Secure"

We throw security tools at mess. It doesn't work. The most secure systems I've ever seen were the simplest ones. Why minimizing dependencies and removing code is a better defense than any firewall.

The Security Theater We Built

Walk into any enterprise security operations center and you'll see the same thing: walls of dashboards, threat feeds streaming in real-time, SIEM systems ingesting gigabytes of logs per second, endpoint detection agents on every machine, network intrusion prevention at every hop.

It's impressive. It's expensive. And most of it is fighting the wrong battle.

We've built an entire industry around adding more—more monitoring, more agents, more rules, more alerts. The implicit assumption: complexity is inevitable, so we need equally complex defenses.

But after 20 years in cybersecurity, I've learned the opposite lesson: the most secure systems I've ever seen were the simplest ones.

The Complexity Tax

Every line of code is a liability. Every dependency is an attack surface. Every integration point is a potential breach vector.

At Link11, we protect infrastructure that handles millions of requests per second. When an attack hits, we don't have time to debug a tangled web of microservices or trace through fifteen layers of abstraction. We need systems that are legible—where you can understand the entire flow in your head.

The Log4j vulnerability wasn't just a bug. It was a symptom of dependency hell: a logging library, used everywhere, with features nobody asked for (remote code execution via JNDI lookups), creating a global supply chain crisis.

How many organizations even knew they were running Log4j? How many are still running it today, patched but bloated, because ripping it out means rewriting half the stack?

This is the complexity tax: the more you have, the more you have to defend. And defense doesn't scale linearly—it scales combinatorially.

What "Clean" Actually Means

Clean isn't about aesthetics. It's about minimizing surface area.

At Link11, we routinely delete code. Not refactor—delete. If a feature hasn't been touched in two years and has no active users, it's gone. Every line removed is one less thing to go wrong at 3am.

The Security Paradox of Tooling

Here's the uncomfortable truth: security tools are themselves attack vectors.

Your SIEM agent runs with elevated privileges. Your endpoint protection software has kernel-level access. Your WAF sits in front of every request, parsing untrusted input.

When SolarWinds was compromised, the attackers didn't just breach one company—they breached the security vendor that thousands of companies trusted. The tool meant to protect became the weapon.

This isn't an argument against tooling. It's an argument for ruthless minimalism. Every tool you add must justify its existence:

Most organizations fail the third question. They install vendor software without considering the supply chain risk they've just inherited.

Clean Infrastructure in Practice

So what does a "clean" security architecture actually look like?

1. Immutable infrastructure: Servers are cattle, not pets. Every deploy is a fresh image. No SSH access, no manual patches, no configuration drift. If something's wrong, you don't fix it—you replace it.

2. Zero standing privileges: No permanent admin keys. Every elevated action requires just-in-time access, audited and time-limited. Your credential database can't leak what it doesn't store.

3. Network segmentation by default: Microservices don't need to talk to each other just because they're in the same VPC. Default deny, explicit allow. If service A has never called service B in production, the firewall should block it.

4. Static binaries over dynamic runtimes: Go and Rust produce single-file executables with no runtime dependencies. Compare that to a Node.js app with 1,200 packages in node_modules. Which one can you audit? Which one can you trust?

5. Logging that matters: Most logs are noise. The signal-to-noise ratio in a typical SIEM is abysmal. Instead of "log everything and search later," we log decisions: authentication events, authorization failures, state changes. The rest is sampling.

Why This Is Hard

Simplicity is harder than complexity. It's easier to add than to subtract. It's easier to install a vendor product than to ask "do we really need this?"

And there's organizational inertia. Security teams are judged by coverage—how many threats are on the dashboard, how many agents are deployed. Simplicity looks like underinvestment.

But here's what I've learned: the best security teams are the ones that say no.

No to the shiny new EDR tool that promises AI-powered threat detection. No to the microservice rewrite that turns three services into thirty. No to the logging pipeline that ingests terabytes of data nobody will ever read.

Every "no" is a decision to reduce surface area. And in security, surface area is everything.

The Path Forward

If you're a CISO or an engineering leader, here's the exercise I recommend:

Audit your dependencies. Not just npm packages—everything. System libraries, third-party agents, SaaS integrations. For each one, ask:

Then start deleting. Not recklessly—strategically. The goal isn't zero dependencies (that's impossible). The goal is legible infrastructure: a system you can hold in your head, where every piece has a clear purpose and a known risk profile.

Because at the end of the day, security isn't about having the most advanced tools. It's about having the fewest ways to fail.

And that starts with clean.


Follow the journey

Subscribe to Lynk for daily insights on AI strategy, cybersecurity, and building in the age of AI.

Subscribe →