Things I value in software/application design

Below are my personal opinions. I will explain some on them in details in future posts.

  • Proper design over hacking.
    • Not the security type of hacking, for the differences, read my post here. There is a Chinese old saying: “Think three times before you act.” My experience currently is that if the developer think half way through before he starts, it will be a relative successful project. And we give this all sorts of fancy terms such as “Agile”, “Bias for action”, “RAD”. I call it stupid.
  • Static over dynamic.
    • I mentioned this preference in my previous post here. Another example I want to give is when I debug some “fancy” code, it gives me a lot of headache when everything is dynamically picked. Reading the code will give you no clue what actually happens and you have to set break points and get dirty.
  • Separation over combination (which can be easier to use short term)
    • There are a lot of “powerful” library and frameworks out there. Their feature list is long and getting longer. But in my opinion, they should “do one thing and do one thing well” (Unix philosophy). And you should also keep this in mind when you write your code.
  • Simplicity over optimization.
    • “Premature optimization is the root of all evil.” —Donald Knuth. Need I say more? Actually one thing I would like to say is that quite often, you don’t even realize you are doing premature optimization. You are simply doing nature things as a well trained engineer, cache this, minify that, etc. I say you should question everything you do all the time if it is absolutely necessary.
  • Encapsulation over extensibility
    • Don’t get me wrong, inheritance and polymorphism are powerful programming concepts. Some libraries and frameworks leverage this and you can simply implement an interface or two to use them. However, I rarely see they get used properly when build internal systems. I see all the time an interface or parent class got one and only one implementer, which only makes the debugging experience horrible because you cannot get to the real code directly from the caller.
  • Configuration over convention (No I did not get the order wrong. I mean it.)
    • Convention over configuration is a software design paradigm advocated and embraced by a lot of people. It even has its own wikipedia page. I hate it, especially those “RAD” frameworks using this as an excuse to create tons of “dark magic”. The result is poor discoverability, hard to maintain code, buggy and hard to debug. An example I have to mention is a PHP framework called Lithium. Just don’t use it.

Hacking vs Engineering vs Hacking

Recently I’ve been bombarded with the Sony hack news. If you have not heard of this, Google it. In case you are reading this way in the future than 2014 (which will makes me really happy), I’m talking about the hack of the United States Sony Pictures Entertainment (Not the Japanese Sony Corporation) by an organization call itself GOP (Guardian of Peace) that got revealed Nov 2014, so I can future Google it more accurately since Sony and its playstation network has been hacked before and who says they won’t be in the future. FBI claims GOP is from North Korea. All I know is it is definitely not from United States since no org from USA would make their abbreviation to collide with the Republican party (Grand Old Party). It is really confusing and when I first heard Sony was hacked by GOP, I’m like what???

The news has been constantly developing for almost a month, I’m getting tired of it but also realizing that all these news has brought a lot of negative images and impressions to the public about “hacking”. Of course here I mean the first hacking in my title which is the act of quickly get prototype or early version of products out using fast but non proper engineering methods due to. This meaning of hacking also extended to hardware and other engineering or even just daily life. This kind of hacking is great for our society. Here is a Catherine Bracy: Why good hackers make good citizens. However, due to the similarity of this type of hacking with the criminal hacking and maybe limitation of English language, the public probably developed a strong negative point of view to both type of hacking.

Now, let me get back to the more narrowed “hacking” in software development and corporate security. As software developer, we are constantly under time pressure and limited resources. Also it is almost impossible to nail the requirement at the beginning, customer changes mind a lot. So more and more we see software development goes to more agile process and pivot a lot along the way. Naturally, we hack a lot because we need it fast and it could be throw away tomorrow. We’ve all done things like put the username and password in the source code, not check user input for potential injection attack. And frankly, what happened in Sony such as have password saved in a password.txt file that everyone can access, I can see it as a “life hack”.

So hack leads to security holes leads to being hacked. In a lot of places, once product is online or once business flow is settled, the developers are pulled to work on the next thing. And the holes are just left there waiting to be hacked. Even without being hacked, a lot of times, simply the increasing of traffic volume, edge case abnormal data could cause disaster to the hacked up product. The proper way to do it in my opinion is to put resource to properly engineer the hacked up product, so that hacking + engineering = success but not hacking + hacking = failure. Unfortunately, a lot of company failed to realize this.