Is clean and secure code a myth or a reality?

Is clean and secure code a myth or a reality?
Each programming language is designed with different operating systems, platforms, coding styles and intended use in mind. We usually hear about Python, PHP, Ruby, jаvascript, Java, C, C++ and C#, as well as more modern versions of them, such as Rust, Swift, Hack and many others.

One of the components of the smooth operation of any applications (in addition to stable servers, balanced load, etc.) is clean code. However, is pure code possible in real life, or are these just the dreams of programmers? Where do vulnerabilities come from and how to avoid bugs?

"Programming is the art of telling another person what they want from a computer"

Donald Knuth

What is pure code?
When it comes to pure code, we present perfectly thought-out strings. This is code that was planned before it was written. It is so well planned that at the first launch it works without errors and without flaws.

However, real programming is much more complicated: no matter what you do, it's hard to avoid mistakes. Doubts about your own professional aptitude continue to grow, and a mistake that you thought would take five minutes to fix eventually takes hours. In addition, the function that you were going to implement has turned into a serious problem for the project.

In this case, it is important to keep in mind that it is impossible to write perfect code right away. To do this, you need to spend many hours thinking and planning in detail. Here everyone chooses for himself what is more important: writing clean code or speed of work.

Clean code is objectively good code. It is written as succinctly and elegantly as possible, without duplication. It is structured in such a way that it is easy to read by both people and computers. Everyone can write code that is understandable to a computer, but only a good programmer can write code that is understandable to a person.

Carelessly written code is expensive, and it takes a lot of time and effort to maintain it. In addition, the code is more prone to errors that can cause the program to crash.

It should be understood that pure code is a product of collaboration, when everyone in the team needs to understand the code. This optimizes the work in case of a change in the team composition and greatly simplifies refactoring and debugging.

Basic concepts
Refactoring is the process of optimizing program code without changing its external behavior in order to improve performance, readability, testability or maintainability. In fact, when refactoring, you improve the design of the code after it has been written.

Debugging is the correction of errors in the code.

Nevertheless, even pure code has an expiration date. Software and computing exist in a rapidly changing landscape. Code that used to be clean is becoming obsolete.

Basic concepts
Legacy code is code that is not maintained or updated, but is used. It works or not, while no one understands why. The older the code in your codebase, the harder it is to understand, no matter how well it was written.

As a result, despite the fact that the codebase may be initially clean, the need to scale, make changes and the emergence of new requirements may lead to its contamination.

Criteria by which the code can be considered clean:

Lack of code redundancy
The code must comply with the DRY rule (Don't repeat yourself in English — "don't repeat yourself"). This means that any change in one section should not require changes in others.

Minimum dependencies
If there are many dependencies in the code, it is more difficult to maintain or change it in the future.

Minimum extensions
The code should contain a minimum number of both classes (templates for creating objects that provide initial state values) and methods (functions or procedures belonging to a particular class or object.

Functionality and readability of the code
The code should be simple, convenient and understandable so that any developer can quickly read it. To do this, many developers use the rules of KISS (keep it simple and straightforward from English — "keep it simple") and YAGNI (You aren't gonna need it from English — "you won't need it").

Code Analysis
Use static analysis language tools to test your code.

Code quality and security
By itself, the high quality of the software does not imply that this software is safe. The absence of vulnerabilities in the code is still not a requirement for most development companies.

Why is security taking a back seat?
In the development world today, functionality and speed outweigh security. Enterprises cannot outpace competitors without creating and releasing new features in a short time.
Security is not a competitive difference: consumers don't think about security when using an app or when buying a smart device, whether it's a smart thermostat or a light bulb. Let's recall an incident from 2020 when a drone was able to hack Philips Hue smart bulbs and cause a viral reaction.
According to the Veracode report, more than three quarters (75.8%) of applications have at least one security flaw, and 23.7% contain high-severity flaws, and fixing these flaws usually takes months.

It should be borne in mind that vulnerable code poses a threat not only to the user, but also to the developer.

Modern operating systems and applications are connected via the Internet and are regularly updated. In most cases, these updates are made not only to add additional features, but also to fix bugs. Updates make the system more resistant to new malware. We wrote more about the need for updates in the analytical review.

Because of vulnerabilities in the code, hackers make attacks on devices. So, they can steal information, interfere with the operation of the device or delete all important information for you.

Code vulnerabilities
The list of existing vulnerabilities is quite long, so we will consider only some of the most common, as well as those that cause the most damage. According to the study, one of the most popular vulnerabilities are: Information leakage (information leakage) — 65.9%; Cross-Site Scripting (XSS, cross—site scripting) - 47.1%; SQL Injection (SQL code injection) - 27.8%.

Ensuring the security of the application is primarily the task of the developer, who from the first lines of writing the product code should take care of the security of the product and users. Information security specialists can help improve the code by searching for vulnerabilities that need to be closed.

In an ideal world, the developer (independently or with the involvement of specialists) tests the product for penetration, using the most popular and new hacking methods, and then analyzes the result and draws conclusions.

Code quality and code security are not the same thing, but they are closely related. And in the current cyber threat environment, developers have to take care of both. It's easier to write good code right away than to fix security-affecting bugs that need to be found first, ahead of the attackers.

Perfect code, unfortunately, is not always possible, but it is important to try to write code as cleanly as possible. It is necessary to constantly improve your skills and learn.

Below we have collected useful resources that will help you master the skill of safe and clean coding.

Useful resources
What to read?
"Pure code. Creation, Analysis and refactoring", Robert Martin
In this book, consisting of three parts, you will learn how to distinguish bad code from good and how to fix it. In the first part, the author describes the basic principles and techniques of creating clean code and gives examples of "correct" code. In the second book, he demonstrates scenarios that are exercises for cleaning code or for converting low-quality code into code with fewer errors. In the last part, the author describes the way of thinking of a person in the process of reading, writing and cleaning code.

The book is written in simple language, so even a novice programmer can master it. It is recommended to read the book to people who are just beginning to master the profession, because it is important to learn the principles of writing the right code at the very beginning of work.

"Refactoring. Improving Existing Code", Martin Fowler
This book has become a textbook for many developers around the world. It details the ideology of refactoring. The basis of the book is a detailed list of more than 70 refactoring methods, for each of which the motivation and technique of proven code conversion with examples in Java are described. The methods discussed in the book allow you to modify the code step by step, making small changes each time, thereby reducing the risk associated with the development of the project.

The book is intended for both relatively new developers. She will show senior developers how to teach refactoring to others.

"Code Complete", by Steve McConnell
This is a highly regarded book in the software development industry. The main message is "software errors arise due to the complexity of the code." The book was written almost 30 years ago, since then the ideas have been firmly embedded in the software development community.

This book will be useful for developers with 3-5 years of experience. It should be borne in mind that in some places it is frankly outdated and may not always be applicable to the development capabilities of small companies.

One disadvantage is the large volume of the book and the fact that it seems to be mainly focused on object-oriented languages (C++, Java) and even older imperative ones (C, Ada, etc.)

Read more about the principles of YANGI, DRY, KISS and SOLID.
What to see?
Amigoscode - accelerated programming courses, security courses and programming tutorials. For novice programmers, this channel will provide a lot of useful tips, practical examples and scenarios.