finding toxic code
play

FINDING TOXIC CODE Experiences and techniques for finding dangerous - PowerPoint PPT Presentation

Mar 05, 2024 •289 likes •630 views

FINDING TOXIC CODE Experiences and techniques for finding dangerous code in large multi-language codebases Kornelis (Korny) Sietsma - @kornys on Twitter WHO AM I? 2 WHAT DO I DO NOW? Consulting, Delivery, Agile, Technical excellence And the

  1. FINDING TOXIC CODE Experiences and techniques for finding dangerous code in large multi-language codebases Kornelis (Korny) Sietsma - @kornys on Twitter

  2. WHO AM I? 2

  3. WHAT DO I DO NOW? Consulting, Delivery, Agile, Technical excellence And the occasional “Help us work out what is going wrong” project. 3

  4. A FISHY STORY This story is true. Only the facts have been changed to protect the innocent. 4

  5. FISHCORP HAD A PROBLEM Old “FishNet” system – ugly and hard to change. New dev manager – Mr Squid; New system: “SquidNet” – very pretty, but very very buggy, late to ship, and getting later. “Can you help us work out what is going wrong?” 5

  6. YOU HAVE TWO WEEKS Workshops • Whiteboard sessions • Process mapping • 1 million lines of code! • How do we quickly review 1 million lines of code? • C++, C#, JS, SQL stored procedures… • 6

  7. ”TOXIC” CODE - ERIK DÖRNENBURG BLOG 2008 https://erik.doernenburg.com/2008/11/how-toxic-is-your-code/ 7

  8. CODECITY Looks ideal: But… 8

  9. GRAVEYARD OF TOOLS CodeCrawler: Panopticode: Moose Technology: 9

  10. WHAT ABOUT SONARQUBE? 10

  11. HOW ABOUT REALLY LIGHTWEIGHT TOOLS? Something quick, simple, cross-language, works with just source code. What about CLOC ? 11

  12. 12

  13. 13

  14. ARCHITECTURE SquidNet FishNet UI - HTML, CSS, JS, ASPX, C# UI - AngularJS, CSS, HTML, custom JS Mobile Component Component Component Component “Business Logic” C# Web API Component Component Component Component Fishing DB Stored Procedures Squid DB Stored Procedures Data Data ETL SQL Data Warehouse Batch Batch Tasks + Optimisation Reporting 14

  15. HOW BIG IS TOO BIG? “Simply stated, an object should be no bigger than the size of my head when pressed up against the monitor – basically a screenful of code.” - James Lewis (@boicy) http://bovon.org/archives/350 15

  16. Si Simple cross-lan languag age e code ode smell ell 1: To Too m many l lines o of c code 16

  17. (LINES OF CODE - BETTER VIEWED IN THE APP!) 17

  18. CODE-MAAT – SCM-BASED INFORMATION Ownership and Authors • Code age • (Logical coupling) • (Code churn) • … and more • https://github.com/adamtornhill/code-maat 18

  19. Si Simple cross-lan languag age e code ode smell ell 2: To Too f few a authors 19

  20. AUTHORS – BETTER VIEWED IN THE APP 20

  21. Si Simple cross-lan languag age e code ode smell ell 3: To Too l little c change 21

  22. OPINIONS MAY DIFFER! • Living code tends to change – people use it, they find refactorings, they make changes. • Static unchanging code might be perfect – or it might contain lurking undiscovered bugs. Either way, over time, collective knowledge drops to zero. • If it is static because it is perfect, it should be extracted out into a standalone library, with a lot of automated tests. 22

  23. AGE – BETTER SHOWN IN THE APP 23

  24. HOW ABOUT IDENTIFYING COMPLEXITY? 24

  25. Si Simple cross-lan languag age e code ode smell ell 4: Using code indentation as a proxy xy for complexi xity 25

  26. 26

  27. HOW DO OTHER PROJECTS LOOK? Verify– microservices in Java, Ruby, Python Linux – large C codebase Kubernetes – mostly Go MongoDB – C++, C, Go, JavaScript VSCode – TypeScript, JavaScript 27

  28. OTHER AREAS TO EXPLORE Test quality – “temporal coupling” can detect it, but hard to use reliably. Also bad tests can look better than good tests. Duplication! Can be spotted by hand, but tooling would be nice. Deployment data – e.g. release timings, time between development and production. 28

  29. RELEASE TIME - DETAILS 29

  30. RELEASE TIME – LONG TERM TRENDS 30

  31. WHAT DID WE TELL FISHCORP? Your old code is complex, badly tested, mostly • only understood by 1 or 2 people Your new code is even worse - complex, full of • duplication, badly tested, and still tightly coupled to your old code. You need to move away from giant databases • and ETL jobs You need to build something new. • 31

  32. THANK YOU! QUESTIONS? Simple code smell summary: Classes/Files too large • Too few authors • Too little change • Too much complexity (via indentation) • Co Code will (eventu tually) be at t gi github.com/ko kornysietsma Tw Twitter: @ko kornys Em Email: ko korny@thoughtworks.com

  33. IMAGE CREDITS Fanfold Paper – Arnold Reinhold (via WikiMedia) HP-85 computer – Wolfgang Stief (via WikiMedia) James Lewis’ Head - @boicy on Twitter Your Code as a Crime Scene cover – Pragmatic Programmers 33

Recommend

Static Code Analysis on Networking Code: Identifying the capabilities of finding implementation

Static Code Analysis on Networking Code: Identifying the capabilities of finding implementation

RP1 Presenter: Ivar Slotboom Supervisor: Wouter van Dongen , DongIT UvA/SNE Static Code Analysis on Networking Code: Identifying the capabilities of finding implementation flaws using Abstract Syntax Trees RP1 4th of July, 2019 Presenter:

439 views • 20 slides
The Unhealthy Secrets of Coal Michele Prevost, MD Why is Coal Toxic? Toxic metals

The Unhealthy Secrets of Coal Michele Prevost, MD Why is Coal Toxic? Toxic metals

The Unhealthy Secrets of Coal Michele Prevost, MD Why is Coal Toxic? Toxic metals Radioactive elements (decays to Radon) Even low-sulfur coal produces bio-toxic sulfur and acidifies water Benzene derivatives

196 views • 18 slides
1 Example Bugs Type Qualifiers [Shankar, et al 01] Idea null dereference Add tainted and

1 Example Bugs Type Qualifiers [Shankar, et al 01] Idea null dereference Add tainted and

Finding Bugs Problem Last time What is a bug? a path in the code that causes a run-time exception Alias/Pointer analysis a path through the code that causes incorrect results Today Issues Program Analysis for finding bugs,

214 views • 4 slides
1 Course Overview Session Three Prevention of Toxic Stress Preventing toxic stress in

1 Course Overview Session Three Prevention of Toxic Stress Preventing toxic stress in

Stress: The Good, Bad, and the Ugly Part One Catherine Nelson, Ph.D. University of Utah Cathy.nelson@utah.edu Course Overview: Stress Session One Definitions Physiology Toxic Stress Risk factors for experiencing toxic stress

384 views • 15 slides
Are the words toxic stress toxic? Speakers Join the National Conversation PRESENTER on

Are the words toxic stress toxic? Speakers Join the National Conversation PRESENTER on

DIGITAL DIALOGUE TRAUMA & RESILIENCE Are the words toxic stress toxic? Speakers Join the National Conversation PRESENTER on Child Abuse Cailin OConnor and Neglect Senior Associate Center for the Study of Social Policy

508 views • 15 slides
Dreaming in Drupal How to think like a developer to build without code Planning Finding a

Dreaming in Drupal How to think like a developer to build without code Planning Finding a

Dreaming in Drupal How to think like a developer to build without code Planning Finding a Module Filter & Sort Deciding Between Modules Installation Profiles Government, library, university - http://openpublicapp.com Intranet -

295 views • 7 slides
Finding your way in a graph Finding your way in a graph Finding your way in a graph Finding your

Finding your way in a graph Finding your way in a graph Finding your way in a graph Finding your

Finding your way in a graph Finding your way in a graph Finding your way in a graph Finding your way in a graph = station One loop = junction A system of interconnected loops L L What is the best way to go from L to ? L L L 1 ? L

2.13k views • 166 slides
Do humans need to detox? Why is there a need to Detox? All of us live in an ever- increasing

Do humans need to detox? Why is there a need to Detox? All of us live in an ever- increasing

Do humans need to detox? Why is there a need to Detox? All of us live in an ever- increasing toxic environment Are You Toxic? The question is no longer IF we are toxic the real question is HOW toxic are we? Toxins and our Health

759 views • 39 slides
Decompilation, type inference and finding the code to decompile Alan Mycroft Computer

Decompilation, type inference and finding the code to decompile Alan Mycroft Computer

UNIVERSITY OF CAMBRIDGE Decompilation, type inference and finding the code to decompile Alan Mycroft Computer Laboratory, University of Cambridge http://www.cl.cam.ac.uk/users/am/ 30 January 2012 Decompilation, type inference and finding

614 views • 34 slides
Toxic stress in the lived Toxic stress in the lived experience of people of color experience of

Toxic stress in the lived Toxic stress in the lived experience of people of color experience of

Toxic stress in the lived Toxic stress in the lived experience of people of color experience of people of color Josefina Aylln-Nez, MA, MSEd Language Master at The Lawrenceville S chool Susan Park, PhD Instructor in Biology at The

201 views • 16 slides
Is this normal? Finding anomalies in real-time data. Who am I? Im Theo (@postwait on Twitter)

Is this normal? Finding anomalies in real-time data. Who am I? Im Theo (@postwait on Twitter)

Is this normal? Finding anomalies in real-time data. Who am I? Im Theo (@postwait on Twitter) I write a lot of code 50+ open source projects several commercial code bases I wrote Scalable Internet Architectures I sit on the ACM

327 views • 18 slides
CDC cellular automaton track finding. Various topics Oliver Frost Deutsches

CDC cellular automaton track finding. Various topics Oliver Frost Deutsches

CDC cellular automaton track finding. Various topics Oliver Frost Deutsches Elektronensynchrotron 2015-01-20 Overview > Changes to source code structure > Testing > Python support > Validation > Cosmics finding > Helix >

622 views • 26 slides
Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke Cryptography and

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke Cryptography and

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke Cryptography and Computeralgebra, Department of Computer Science, Technische Universit at Darmstadt, Germany, fstrenzke@crypto-source.de April 13, 2015 Fast and

494 views • 38 slides
COZ : Finding Code that Counts with Causal Profiling Anuja Golechha Agenda Profiling

COZ : Finding Code that Counts with Causal Profiling Anuja Golechha Agenda Profiling

COZ : Finding Code that Counts with Causal Profiling Anuja Golechha Agenda Profiling Issues with current profilers Causal profiling COZ Overview and Implementation COZ Evaluation Comparison with Pivot Tracing

660 views • 23 slides
Finding Latent Code Errors via Machine Learning over Program Executions Yuriy Brun Michael D.

Finding Latent Code Errors via Machine Learning over Program Executions Yuriy Brun Michael D.

Finding Latent Code Errors via Machine Learning over Program Executions Yuriy Brun Michael D. Ernst University of Southern Massachusetts Institute California of Technology Bubble Sort // Return a sorted copy of the argument double[]

390 views • 38 slides
Reed-Solomon code. Berlekamp-Welsh Algorithm Finding Q ( x ) and E ( x ) ? Problem: Communicate n

Reed-Solomon code. Berlekamp-Welsh Algorithm Finding Q ( x ) and E ( x ) ? Problem: Communicate n

Reed-Solomon code. Berlekamp-Welsh Algorithm Finding Q ( x ) and E ( x ) ? Problem: Communicate n packets m 1 ,..., m n P ( x ) : degree n 1 polynomial. on noisy channel that corrupts k packets. Send P ( 1 ) ,..., P ( n + 2 k ) Receive R (

305 views • 8 slides
Toxic Plants and Mushrooms : Principles of natural toxicology Recognize patterns of

Toxic Plants and Mushrooms : Principles of natural toxicology Recognize patterns of

11/6/2013 Our Mission: Toxic Plants and Mushrooms : Principles of natural toxicology Recognize patterns of and treat common plant What You Dont Know CAN intoxications Kill You Distinguish toxic and benign mushroom

486 views • 11 slides
80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up

80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up

Slammer s Bandwidth-Limited Growth 80% of Code Red 2 Code Red 2 re-re- Code Red 1 and Code Red 2 Code Red 2 re- cleaned up due to released Jan 2004 Nimda endemic dies off released with Oct. onset of Blaster (and 2005; not since

450 views • 34 slides
Finding Cryptography in Object Code Jason L. Wright Cyber Security Researcher Idaho National

Finding Cryptography in Object Code Jason L. Wright Cyber Security Researcher Idaho National

INL/CON-08-14597 Finding Cryptography in Object Code Jason L. Wright Cyber Security Researcher Idaho National Laboratory jason.wright@inl.gov Security Education Conference Toronto October 8, 2008 (SECTor08) Current Work Malware is

304 views • 16 slides
STATUS COUNT FINDING APPROVED 5 FINDING CONDITIONAL 16 FINDING DENIED 11

STATUS COUNT FINDING APPROVED 5 FINDING CONDITIONAL 16 FINDING DENIED 11

STATUS COUNT FINDING APPROVED 5 FINDING CONDITIONAL 16 FINDING DENIED 11 LICENSED 148 PENDING 27 WITHDRAWN 32 TOTAL 239 ADUs reviewed as Special Exceptions Pre 2013 ZTA 12-11 Allows ADUs as

741 views • 14 slides
The Human Component in Automated Bug Finding Christian Holler (:decoder) Staff Security Engineer

The Human Component in Automated Bug Finding Christian Holler (:decoder) Staff Security Engineer

The Human Component in Automated Bug Finding Christian Holler (:decoder) Staff Security Engineer ~ 16M lines source code ~ 16M lines source code Last month: 340 authors with 2,475 commits Interfaces Media Formats Markup Fonts Languages

1.12k views • 72 slides
parents fighting air pollution to protect the health of our children WHY MOMS CARE ABOUT TOXIC

parents fighting air pollution to protect the health of our children WHY MOMS CARE ABOUT TOXIC

We are a community of parents fighting air pollution to protect the health of our children WHY MOMS CARE ABOUT TOXIC AIR The Clean Air Act has never been fully implemented. Americas kids face grave threats from toxic chemicals in the air.

345 views • 11 slides
Toxic Metals Evaluation and Treatment Sara Rodgers, NMD Idaho Naturopathic Medicine What are

Toxic Metals Evaluation and Treatment Sara Rodgers, NMD Idaho Naturopathic Medicine What are

Toxic Metals Evaluation and Treatment Sara Rodgers, NMD Idaho Naturopathic Medicine What are toxic metals o Arsenic o Tin o Lead o Nickel o Mercury o Titanium o Aluminum o Thallium o Cadmium o Tungsten o Barium o Uranium Toxicity 2003 CERCLA

388 views • 36 slides
Control of Particulate Emissions from Soils with Toxic Air Contaminants PUBLIC WORKSHOP MAY 10,

Control of Particulate Emissions from Soils with Toxic Air Contaminants PUBLIC WORKSHOP MAY 10,

Proposed Rule 1466: Control of Particulate Emissions from Soils with Toxic Air Contaminants PUBLIC WORKSHOP MAY 10, 2017 2 Background Soils with toxic air contaminants can become airborne during excavation, grading, stockpiling, removal,

395 views • 26 slides

More recommend