Code Signing Best Practices
Want to keep your software and code safe?
Enter your contact information below below to receive your FREE Best Practices PDF:
In 2022, 35% of developers released software twice as fast as the previous year. But speed isn’t everything — 40% of organizations struggle to strike a balance between speed, quality, and costs without incurring too much technical debt.
Pairing a useful code review checklist (i.e., a methodical assessment of other programmers’ written code before merging it) with a winning software development strategy can help boost the quality of your code while reducing development costs and technical debt.
But not all code review checklists are the same. Discover nine essential items that’ll transform your code review activities into an efficient, quality-oriented, and highly performant process. Learn how to make high technical debt, skyrocketing costs, and poor-quality software a thing of the past.
Take it from me — effective code review isn’t something to rush. The last time I assisted in releasing a software update after a rushed (and sloppy) code review, it was rolled back 30 minutes later. At the time, code reviews were primarily based on the ‘guts feelings’ of the reviewer of the day, transforming every review into a numbers game.
The team often wondered how other organizations could save money and find more flaws just by having regular code reviews. What was the catch behind it? Have you ever heard of Smartbear, a software manufacturing company?
One of their customers experimented: they calculated how much money their organization could save by reviewing code from the beginning of a project. The results were shocking. They discovered that by implementing periodical code reviews, they could keep more than $200,000 in their pockets and find 162 additional bugs.
We knew we were on the right track, but we were still missing something. That’s when we started experimenting with code review checklists. Six months and many code review checklist versions later, we finally found the perfect ingredients. From then onward, code releases were no longer a leap into the unknown. The code quality dramatically increased, development costs decreased, and team members were learning from each other.
Want to discover the magic ingredients of our code review checklist recipe for success? Here’s a 60-second overview:
|Code Review Checklist Essentials
|1. Check If the Code Includes All Feature Requirements
|2. Verify Code Readability
|3. Look For Duplications
|4. Examine the Level of Maintainability
|5. Look for Data Security, Privacy, and Compliance Issues
|6. Assess the Code’s Grade of Reusability
|7. Figure Out the Code’s Scalability and Reliability
|8. Find Out About Errors Handling
|9. Review Code Test Coverage and Quality
|10. Find and Analyze the Documentation Available
Want to discover the magic ingredients of our code review checklist recipe for success? Keep on reading!
Before immersing yourself in the code, have a look at the feature request tickets and the pull requests (PRs) – i.e., when the developer starts the process of integrating new code changes into the main project – and ask yourself:
If the answer to even one of these questions is yes, stop the code review and send the PR back to the developer. There’s no point reviewing something that’s going to change again. The PR looks perfect? Then you can move on.
Research shows that when people read something on a screen, they comprehend less of what they’ve read compared to when they read the same text written on physical paper? Since the year 2000, this has increasingly become truer with the advent of smartphones.
Why should you care? When a developer writes a piece of code, he or she isn’t the only one who is going to work on and use it. So, if reading on a screen comes with its challenges (e.g., scrolling and risking losing the thread), how can your colleagues or even you, as a reviewer, do a good job if the code is poorly written or formatted?
So, during your review try to answer questions like:
Many years ago, France and Italy passed legislation requiring organizations operating within their territories to replace foreign language terms with ones in the local language. I remember the humongous amount of work our communication team had to go through to replace every single English term with an equivalent French or Italian term.
Imagine having to implement this type of change on a functionality that’s scattered throughout your code. Without any shortcuts (one of which we’ll mention momentarily), it’ll take you ages to hunt all those similar items down, and it’ll definitely have an impact on your speed of delivery.
Find out if the code’s author followed the DRY (Do not Repeat Yourself) concept by including these simple questions in your code review:
Pro tip: Time constraints are among code reviewers’ top three challenges. Use hash tables to find duplicates in an array quickly. (Remember the “shortcut” we mentioned a few paragraphs ago? This is what we were talking about.) Hash functions let you transform data into a fixed-length value (i.e., a hash digest). These values can be stored in a table that you can use to organize and keep track of unique elements. Why should you do it? Because it’ll reduce the time taken to search for duplicates.
How does it work? Once the hash table has been created, you can then iterate through the array elements. If the element isn’t in the hash table, it’ll be added to it. Is the element already present in the table? Congratulations! You found your first duplicate. It’s easy as pie and your array won’t be modified.
As Mahatma Gandhi said, “The future depends on what we do in the present.” This is why ensuring that a code requires little effort to support, update, and fix bugs is paramount.
Why is it so important? Because the more maintainable the code, the less time the developers will need to change it, and the lower will be the risk that the change will break something.
Beginning of June 2023, the sensitive data of 8.8 million Zacks Investment Research’s customers (e.g., email addresses, unsalted SHA256 passwords, and usernames) was published on the dark web.
This is just one example of data breaches that have occurred (so far) this year. For organizations, having secure code has become so important that 37% of developers list testing applications for security issues among their key responsibilities. You can have the best code ever, but if it isn’t secure, all the effort and time you invest will be all for nothing.
OK, some security procedures should already be part of your secure software development life cycle (SSDLC) and your CI/CD pipeline; however, everyone makes mistakes. Want to spot the issues that have gone unnoticed? Include security, privacy, and regulations compliance checks in your code review checklist. Step into an attacker’s shoes and find answers to questions like:
Pro tip: Explore our guide to OWASP secure coding practices checklist for more guidance and suggestions.
Prove Your Software Is Trustworthy
Signing your code shows users that your software and updates can be trusted.
Download our free code signing best practices eBook to learn how to help keep your supply chain secure and your company, customers & end-users safe.
Do you “upcycle” instead of just throwing things away? I do, and I apply the same concept when writing code as well. Why? Because recycling speeds up development, saves money, and reduces the risk of introducing new vulnerabilities into your products.
This is also one of the reasons why low code platforms, projected to reach a revenue of over $12 million by 2024, are based on the reusability concept. Code easily, faster, and with greater security. What could an organization want more?
Look into the level of reusability of the code you’re reviewing:
Pro tip: Suggest your developers use constants instead of single values to increase code reusability.
Once your application is released, what’s the likelihood that no one will request a change or a new feature? None, zero, nada. On the other hand, the probability that something in the application will fail sooner or later is high. A request returning an error, an asset not loading properly — regardless of which issue occurs, something inevitably goes wrong all of the time.
But, if the code behind the application is scalable and reliable enough (i.e., it’s fault tolerant), changes will be relatively easy to implement. In case of errors, the impact on users will be as limited as possible.
Your code review checklist should therefore cover questions such as:
And talking about errors, how are these going to be handled? Let’s see a few sample questions on error handling to add to your code review checklist.
One of my friends has a bad habit. Whenever he hits the submit button in an application and it doesn’t immediately react, he keeps on hitting it frantically until either it works or he receives an error message. Yeah, he’s one of those people… but he’s not alone; I bet many people do the same when they get frustrated.
Now imagine that this is your software. I’m fairly certain you didn’t think to verify how the code you’re reviewing would handle this kind of issue. There are so many error-handling scenarios that it would be virtually impossible to consider them all. However, there are key questions that can help you spot most of them.
Pro tip: Analyze the code by comparing it with the use cases described in the OWASP error handling cheat sheet.
Do you think that tests aren’t your business and, therefore, you haven’t included a test analysis in your code review checklist until now? It’s time to change this mindset. Just because the code passed all the tests doesn’t mean that those tests were good or that the code is perfect.
Did your team use bots in the testing process like 53% of developers interviewed by GitLab in 2023? While this is a good practice, remember that automation doesn’t mean perfect. It just means that it’s automatically testing for set criteria. What if a test was so standardized that it didn’t cover everything it was supposed to? What if it passed for the wrong reasons or wasn’t updated to reflect those specific changes?
Add a fundamental step to your code review checklist and ask:
Pro tip: Consider tests like code. They should also be easy to read, maintainable, and effective. If they’re too complex to be understandable, they probably aren’t good enough. Instead of pinpointing bugs, they could end up adding to your tech debt.
You usually get the importance of documentation when a developer leaves the company. That’s when the poor fellas left in the team have to try to understand the ins and outs of the codes he wrote. If the documentation he left behind is poor, outdated, or simply inexistent, they’re in for a rough ride.
The last time it happened to my team, it took us months to figure it all out and, in some cases, we even had to scrap some applications and re-write them from scratch. And that ain’t funny, believe me. Luckily enough, 53% of developers surveyed by Zeroheight think that documentation helps their colleagues do their job with confidence. To play safe though:
Pro tip: High-quality documentation is essential for smooth maintenance. Ensure best practices are followed and that the APIs defined in the code change are also well documented.
Among the 10 essential items we’ve just described, what are the ones that you’re definitely going to add to your code review checklist? What? You don’t use a checklist? Uh-oh! “I taut I taw a problem!” like Looney Tunes Tweety Bird may say. Let’s find out why you definitely need one.
Verizon 2023 Data Breach Investigation Report shows that more than 32% of all Log4j vulnerability scanning (i.e., malware that attackers use to get control of servers) happened within the first month after release. Today’s new threats are acting fast and exploiting vulnerabilities on a massive scale in a matter of days.
High-quality code must not only be easy to understand and modify, but it also must be as secure as possible. How can developer teams ensure that the code they’ve just written fulfills all those expectations when they’re urged to produce software as fast as lighting? This is where code review checklists come to the rescue.
A good code review checklist will:
At the end of the day, reviewing code is a bit like reviewing an article or a book. The key to success?
You’ll make your customers happy and protect the publisher’s reputation. Ready to create a stellar code review checklist? It’s your turn now!
Doing code reviews without a well-structured checklist is like playing darts while wearing a blindfold. With luck, you’ll hit something, but you’ll need more than luck to get the bullseye.
To really reap the benefits of the time invested in code reviews:
Using a code review checklist will help you catch bugs earlier in the development process, avoid common security gaffs, and improve the overall code quality of your code and end product. So, what do you think? Isn’t worth boosting your code review checklist so that it covers the essential points you’ve just explored?