20080702

Coding is a Science, not an Art

This has more to do with coding than engineering - two different phases of development.

When I've done code reviews, when I very clearly see a flaw and point it out, the first response is denial. (See The Five Stages of Web Application Security Grief - the devs have the same initial phase.) Developers are so quick to point out the really old defenses (it's a hidden form field; we validate that the drop down list only contains the values we expect when we render it). When you clearly explain the failures of those defenses, they move on to pure denial ("you have to show me"). Then you show them.

It doesn't have to be this hard.

Coders, know that writing code is not an art. It is a science. If it's a science, a found failure is not a comment on your value as a human being. It's a comment on your tendency to make typos, not press the right key, or simply to not have adequate information to execute the problem at hand. If I were to say that your theory has a flaw - that hurts. You've really invested something of yourself into that. But if I simply point out that you failed to carry a 1 or to consider the null hypothesis, or to turn the knob before pressing the button, it hurts much less.

Engineering is different. But if coders (myself included) were far less defensive about their code and actually valued it enough to take recommendations on how to make it better, we could get to the making it better part much, much sooner. Value your skill enough to allow others to help you make that skill better. Even the most elite of ninjas need training.

0 comments: