Improving Code Quality continuously

96a13b96ece78afe3c2dc841edc4a8f5?s=47 schmittjoh
October 23, 2014

Improving Code Quality continuously

What is quality, and why should I care about it? What are the business benefits and which practices help me achieve them?

96a13b96ece78afe3c2dc841edc4a8f5?s=128

schmittjoh

October 23, 2014
Tweet

Transcript

  1. IMPROVING CODE QUALITY CONTINUOUSLY JOHANNES SCHMITT, SCRUTINIZER-CI.COM

  2. AGENDA  1. Quality  2. Business Benefits  3.

    Practices  4. Examples/Tooling
  3. QUALITY WHAT IS QUALITY? WHY IS IT INTERESTING? HOW CAN

    WE ACHIEVE IT?
  4. WHAT IS QUALITY?  „Quality is universally recognizable; it is

    related to a comparison of features and characteristics of products.“  „Quality is a precise measurable variable. Differences in quality reflect differences in quantity of some product attribute.“  „Quality is fitness for intended use.“  „Quality is conformance to specifications.“  „Quality is meeting or exceeding customer expectations.“  „A product that is free of defects.“
  5. WHAT IS CODE QUALITY?  Deliver new functionality in the

    fastest sustainable lead time  Successfully execute large development initiatives  Innovate, react timely to rapidly changing business environments
  6. BUSINESS BENEFITS WHY IS QUALITY INTERESTING?

  7. BUSINESS BENEFITS (1) WHY CARE ABOUT CODE QUALITY, AT ALL?

    1. Lower Defects in Software Products  Higher customer satisfaction  Better return on investment  Higher confidence for business partners
  8. BUSINESS BENEFITS (1I) WHY CARE ABOUT CODE QUALITY, AT ALL?

    II. Predictability of Software Development  Creates trust between internal business partners  Pride of ownership  Motivating
  9. BUSINESS BENEFITS (1II) WHY CARE ABOUT CODE QUALITY, AT ALL?

    III. Scalability (of team size)  Easy to add more developers  Reduces dependency on a single developer
  10. BUSINESS BENEFITS (1V) WHY CARE ABOUT CODE QUALITY, AT ALL?

    IV. Velocity and Agility  Higher maintainability  Adding new functionality more quickly  More time for non-functional requirements like performance, scalability, security, reliability, etc.
  11. BUSINESS BENEFITS (V) WHY CARE ABOUT CODE QUALITY, AT ALL?

    V. Ability to innovate  Fertile, technical environment  Rapidly prototype, test, and illustrate new ideas
  12. PRACTICES FOR ACHIEVING HIGH CODE QUALITY

  13. PRACTICES (I) FOR ACHIEVING HIGH CODE QUALITY I. Agile Architecture

     Constantly evolve the design, and architecture  Concurrently add new features Principles: Emergent Design, intentional architecture, design simplicity, design for testability, prototyping, domain modeling
  14. PRACTICES (II) FOR ACHIEVING HIGH CODE QUALITY II. Continuous Integration/Inspection

     Find regressions as soon as possible  Accountability  Peer-pressure to not break something
  15. PRACTICES (III) FOR ACHIEVING HIGH CODE QUALITY III. Refactoring 

    Key enabler of emergent design  Necessary and integral part of Agile
  16. PRACTICES (IV) FOR ACHIEVING HIGH CODE QUALITY IV. Collective Ownership

     Everyone can change every line  No dependency on a single person Requirements: Proven, agreed to coding standards, simplicity in design, knowledge sharing
  17. APPLYING PRACTICES & EXAMPLES HOW CAN THESE PRACTICES BE APPLIED?

    HOW CAN TOOLING HELP ME?
  18. EMERGENT DESIGN (VELOCITY, AGILITY ↑ - DEFECTS ↓) Emergent Design

     Initial design based on what you know  Evolve design as you learn more Alternative Approaches  No design  Fixed time for design (mostly upfront)
  19. EMERGENT DESIGN (VELOCITY, AGILITY ↑ - DEFECTS ↓) Maintainable Design

    (just as much design as needed) Emergent Design Refactoring Knowledge of Design Patterns Application of design patterns:  Not „the only solution to recurring problem“  Require a thought process  Provide approaches to solve problems
  20. EMERGENT DESIGN (VELOCITY, AGILITY ↑ - DEFECTS ↓) Code Metrics

    can help decide when to refactor  Many, many metrics exist  Focus on most important: Complexity, Readability, Duplication Alternatives:  Code that is annoying  Scratch method
  21. EMERGENT DESIGN EXAMPLE 1 Example: - Controller that launches AWS

    instances - Form to define instance properties
  22. EMERGENT DESIGN EXAMPLE 1

  23. EMERGENT DESIGN EXAMPLE 1 1. We extract the logic for

    determining the AWS region 2. We commit the code
  24. EMERGENT DESIGN EXAMPLE 1 Scrutinizer automatically analyzes your code, and

    displays any changes.
  25. EMERGENT DESIGN EXAMPLE 1

  26. EMERGENT DESIGN EXAMPLE 1 We extract the logic for generating

    a list of images
  27. EMERGENT DESIGN EXAMPLE 1 We already extracted: 1. Code for

    determining the AWS region 2. Code for generating image choices Let‘s extract the form generation code, too. 1. 2.
  28. EMERGENT DESIGN EXAMPLE 1 We already extracted: 1. Code for

    determining the AWS region 2. Code for generating image choices 3. Code for building the form Next: Extract the code for building up AWS instance launch data. 1. 2. 3.
  29. EMERGENT DESIGN EXAMPLE 1 We extracted: 1. Code for determining

    the AWS region 2. Code for generating image choices 3. Code for building the form 4. Code for creating AWS launch data  Simple refactorings made method intention revealing, and easy to read 1. 2. 4. 3.
  30. EMERGENT DESIGN EXAMPLE 1 Refactoring is also an enabler for

    non-functional concerns like performance testing. Smaller chunks of code make it easier to find the bottleneck 1. 2. 4. 3.
  31. EMERGENT DESIGN EXAMPLE 1 4.

  32. EMERGENT DESIGN EXAMPLE 1I Initial Situation: - We have a

    collection class InstanceList - The instance list has a single filter method Next: We want to add another filter method
  33. EMERGENT DESIGN EXAMPLE 1I Initial Situation: - We have a

    collection class InstanceList - The instance list has a single filter method What we did: 1. Added getRecentlyStartedInstances() 1.
  34. EMERGENT DESIGN EXAMPLE 1I

  35. EMERGENT DESIGN EXAMPLE 1I Different types of duplication: - Literal

    duplication (copy/paste) - Duplication in structure - Intentional/unintentional
  36. EMERGENT DESIGN EXAMPLE 1I Introducing a generic match method 

    Removes duplication  Updates to filtering only need to be done in a single place
  37. EMERGENT DESIGN EXAMPLE 1I Possible next refactoring: Extract different concerns

    to different classes  Separation of concerns  More testable
  38. TESTING YOUR CODE Scrutinizer is a complete solution for code

    quality management. Testing highlights: - Rich build environment designed for web applications/private projects - Automatic SSH access for easy debugging - Zero/minimal configuration thanks to config inference
  39. COMPILER LIKE SAFETY Get compile-time benefits like a statically typed

    language, and avoid writing tests for basic tasks. Scrutinizer is like a compiler for PHP - Control Flow Analysis - Data Flow Analysis - Abstract Interpretation - Variable Reachability - Call Graph Analysis - Live Variable Analysis Checking type safety Dead assignments/unused code Security analysis And more
  40. UNDEFINED VARIABLE EXAMPLE Naive approach: - Gather all variable assignments

    - Check if variable was assigned  Can only catch typos Scrutinizer‘s approach: - Run data flow analysis  Different scope in each flow point - Check if variable is always defined in the flow point where it‘s used  More accurate results, does not miss sometimes defined variables
  41. UNDEFINED VARIABLE EXAMPLE - Data flow analysis also works within

    expression trees - Finds bugs where you only test a single path
  42. ENFORCING A COMMON CODING STYLE Scrutinizer - Makes it easy

    to set-up a common coding style guide - Fixes many coding style issues automatically - Does not force a specific style on you - Does not depend on a specific IDE - Leaves you more time for reviewing other issues during manual review
  43. WEEKLY PROGRESS REPORTS

  44. SECURITY ANALYSIS OWASP Most Critical Security Issue 2013: Injection Attacks

    Forms of attack  SQL Injection  Path Expansion  XML Entity Injection  Command Injection  Code Injection
  45. SECURITY ANALYSIS EXAMPLE 1

  46. SECURITY ANALYSIS EXAMPLE 2

  47. SECURITY ANALYSIS EXAMPLE 2

  48. SECURITY ANALYSIS EXAMPLE 2 Input is expanded Passing an input

    value of ../../app/config/parameters.yml could get you access to very sensitive data.
  49. SECURITY ANALYSIS EXAMPLE 2 Scrutinizer performs a security audit of

    your request data analyzing the entire call graph.
  50. The end, thank you!