How to Write a Safer and Better Code ?

 

View from the Brisbane River on a beautiful sunday morning
 
During my professional career up to now, I had the chance to work with all sorts of developers. From the reasonable to the excellent ones; and talking with some colleagues this week about that fact I have to say, it does not matter how bad or good they were I must say in every case I've learnt something good with them.
 
One thing specially was common in all the cases: how to write a more secure code.
 
Which brings me to another point of discussion: how do you measure yourself as a code-writer? do you think you are a good coder? What makes you such a good developer? How do you approach a problem before you start coding? And when I stop to think about the last sentence I remember an article I read about making your code safer and a concept I've learned reading the book "Decline and fall of the American programmer" from Edward Yourdon : The silver bullet.
 
Basically the silver bullet is the only thing that can kill a werewolf, portrayed as a software bug or a business problem, and unfortunately just like this mythical creature there is no silver bullet for the real life issues we face everyday. There is no 'exact and single' solution for our problems. So, to make you code safer is literally up to you. Nobody else, therefore excluding the programming language you use.
 
Just because you are using C# it does not means that your application will be a better product than if you were using Visual Basic 6. OK, it will save you development and release time but just the language won't make your product better or your code safer. Again, only the developer can predict and treat the vulnerabilities. And because of this we go to another layer of the development cycle: The design.
 
A better and safer design can do much more for the final product than the language used to develop it can. Safer products are a result from safer designs and good code practices, and it does not matter how good the product is : Once it is released, it can be attacked.
 
No, that's not a sad destiny. As a matter of fact, as a good developer you must find this absolutely normal and expected. I write code with this in mind. Everyday. And even thou the clients tell me: "nah, this is only going to be used within our department", I still do not change my mindset.
 
Can this lead me to a little bit longer development time? yes, but the gains in security and stability in the application are far greater, IMHO. So, I do not worry about the securities holes the application might have in a future because the application will run in a new platform and I should have done "this" instead of "that". Again: I accept the fact the application one day will be attacked. My biggest concern here is: How my code will behave when it gets attacked?
 
So, if you ask me I would suggest you: spend the time you want in improving your code or your technique. We should be proud of our coding skills just like a father is proud of their offspring. And we know sometimes the parents can be blind about their sons skills and abilities.
 
To avoid this pitfall with your code, ask someone senior to review your code...as a matter of fact, I might write about this someday: Do you have a mentor in your company or team? Meet someone who really knows what's he is talking about and ask him to review your work. If this person is really good, I have two words of advice for you: Be humble and prepare yourself.
 
Asking someone to review your work can be an amazing learning experience about yourself and the way you see the problems. Remember what I've mentioned: you always can learn something new, from the good and from the not so good. And this my friends, is a big lesson from life to those who keep an open mind to learn.
 
See you later and happy St. Patrick's day

6 Comments

  • hey, nice writing you have here! :)

    For my case, I never really have a mentor who guide me to write a better code. Usually it's "whatever works"...

  • My web applications are highly insecure because I'm not given enough information to make them secure. This is in spite of the fact that I've invested time in researching security issues. For example, the ASP.NET framework always assumes you are using SQL Server which supports stored procedures and provides none of the equivalent PHP methods (like stripslashes) for preventing SQL injection attacks when using MySQL. I'm planning a detailed rant on how difficult it is to secure web services with many examples of publicly exposed web services that were only meant for internal use.

  • mr Yourdon,
    First of all to me is an honor to me to read your comments here. And yes "The Mythical Man Month" is another classic. I read both about the same time when I as at the uni.

    It is really amazing the fact that nowadays readers and writers can talk and contribute to each other in the same media. Could you imagine if somehow during the early years of the aviation the Wright brothers and Santos Dummont had a blog and could send email messages?

  • hi Robbins,
    I am sure you will find plenty of options to make your .net applications secure. about the sql injection attacks case a simple way to do this is to use store procedures and pass the parameters using the addParameter function. The webservices is a little bit tricky and deserves maybe a longer post in a future.

    The thing is Microsoft pushed the .net to the masses but unfortunatelly it did not pushed the best practices in how to use it. That's why I normally work fixing bad developed .net applications.

    I recommend you to take a look at the webservice software factory project. (www.codeplex.net/servicefactory) it has many recipes to develop webservices applications and to make them secure, using the Microsoft guidance package.

    In your blog I see that you are using subsonic. do you want to see another good news? if you use this guidance package I told you, you won't need subsonic anymore :)

    happy coding!

  • hi Prissilia, I know exactly what you mean, specially because I lived for a few years in Singapore and I know how urgent is your market.
    As a good point, I miss my mahjong games with "the auties and the uncles", and their faces when they beat "the ang mo" up :)

  • hi Todd,
    That's another link but still from the same team in Microsoft. Thanks for sharing this one as well hosted on codeplex.

Comments have been disabled for this content.