1. Security and... Driving? (and Hiring)

    There's been a blip on the PHP blogosphere (think what you will of that word, it's accurate) regarding PHP's "inherent security flaws."

    I guess it's time to toss in my 2c (even though I was one of the first to reply to Chris' post on this). Since I like similes, I propose the following: coding is like driving.

    What? It's pretty simple, if you think about it.

    If you drive, you'll follow. If you don't, but have tried, you'll also follow. If you've never tried it, you should. (-:

    Coding is like driving. When you start driving, you're really bad at it. Everyone is horrible, even if they aren't aware.

    As time passes, and you gain more experience behind the wheel, you're subjected to different driving conditions and new hazardous situations. These eventually make most of us better drivers.

    Take me, for example. I grew up in a relatively small city in New Brunswick. I learned to drive there. At the time, there was very little street parking, and as a result, very little parallel parking. I was really bad at parallel parking for a long time. I first started driving when I was 16. It wasn't until I was 20 that some friends and I took my car to the first (and only?) Geek Pride Festival. Closing in on Boston, the roads got wider and wider. Suddenly, I found myself driving on a road that was 4 lanes in each direction. You laugh, but this is daunting for a guy who'd never driven on anything wider than 2 lanes (in each direction), before. I knew to cruise on the right, and pass on the left, but... how do I use those other two lanes? I now live in Montreal, and feel confined when there are only two lanes. (-:

    Another parallel is when I learned to drive stick (manual transmission). My first few weeks were quite jumpy... then, my clutch foot smoothed out, and my passengers were relieved.

    More food for thought lies in the insurace industry. Now, I'll keep my feelings towards these racketeering slimeballs (mostly) to myself for the purposes of this entry, but they DO do something right: reward experienced drivers (often at the cost of young males, but I digress).

    I have a motorcycle license. I had to pass both written and driven tests to be able to ride. Even then, I only qualified for the lower class of bike ( 550cc).

    Alright, so what's my point? Simple: new coders are bad at their jobs. I thought I was good at the time, but I was horrible. I'm better now, but in 2 years, I know I'll look back at this and think about how bad I was 2 years ago. New drivers are also bad.

    So, the people who control the roads have put a few safeguards into effect to keep these people from hurting others. First, there's graduated licensing in many parts of the world. When I was 16, I had a 12 month waiting period before I could drive by myself, and even then, I had to maintain a 0.00% blood alcohol level whenever driving.

    Insurance companies penalize (or, if you're fluent in marketing, "don't reward") new drivers. My insurance payments are now an order of magnitude lower than when I first started driving.

    Trucking companies are likely to hire newgrad drivers, but this is because their workforce is scarce. They put their better, and more experienced drivers on the most complicated routes. And most taxi drivers I see are well over 30.

    Getting offtopic again: New coders are bad. They learn. Some quickly, some not so much. They make mistakes.

    So, how do you get around this? Two ways. If you run a small shop, you should ONLY have experienced developers on staff. If your shop is a little bigger, then you can afford (ironically) to pay less to inexperienced devs that can do some grunt work, and get a bit of experience under their belts. Make sure that your good devs are reviewing their work, though.

    You're effectively enforcing "graduated licensing" on your devs. If they have little experience, give them little power.

    That said, I firmly believe (and agree with Marco) that it's not PHP's job to enforce this. Just as I would not expect Plymouth to limit my ability to drive my old Reliant K car. There are rules in place at a higher level, and that's GOOD in my opinion.

    PHP is easy, or at least it starts out that way, and then, after a certain threshold, gets more and more complicated, but that's OK. Everything works this way. "Windows" is easy.. but when your registry pukes, it takes guru skills to clean it up (or novice skills to find your XP CD to reinstall). Driving is "easy"... just don't put new drivers in a situation they haven't seen before (whiteout/blizzard, collision, black ice, blinding sun, etc).

    The money you save by hiring new grads (without proper mentors/filtering/etc) is often trumped by your exposure to security flaws, bad design, and failure.

    A little aside: development shops and otherwise-hiring companies seem to be catching on to this. In the past 3 months, I've had 4 colleagues (former) come to me asking if I know any advanced PHP devs in Montreal who are looking for work... I've made a few suggestions, but most of the GOOD locals I know are already happily employed. If you live here (or are planning on moving here), and you've got LOTS of PHP experience (more than 3 years), have diverse experience, and are genuinely a good coder, let me know, and I'll try to hook you up.

    5 Responses

    Feed for this Entry
    • good analogy!

      I totally agree with it all.

      You know I use to code asp alot and really got angry at some people bitching it's security. Yeah it's not that good, but every code review showed me that it's bad code that left the sites open. You remenber all that scare? one word: zeljko!

      thanx for the plug!

      jf

    • FACORAT Fabrice

      2006 Jan 25 11:36

      Sure coding is like driving, but even for this there's more security measures ( [url]http://en.wikipedia.org/wiki/Car_safety[/url] ) :
      - airbag
      - security belt
      - ABS : [url]http://en.wikipedia.org/wiki/Anti-lock_braking_system[/url]
      - ESP : [url]http://en.wikipedia.org/wiki/Electronic_Stability_Program[/url]
      - speed limiters
      - Directional headlamps : [url]http://en.wikipedia.org/wiki/Directional_headlamp[/url]

      So even for drivers there's technological measure to assist them and help them make less mistakes. Theses measures will not prevent all accidents, but at least it will prevent some and thus for novice as experienced drivers.

      There's no reason PHP could not do the same.

    • Fair observation.

      Honestly, though: what do you actually expect PHP to implement to "solve" this problem?

      S

    • I don't think this comparison is fair. A seat belt doesn't help if I don't wear it. And ABS is useless if I try to pump the breaks like I was taught in driver's ed. Cars offer things to help drivers stay safe but if they are not used or are not used properly, it is not the car manufacturer's fault when you get hurt.

      The same goes for PHP. There are plenty of tools offered to programmers to help make their code safer but if the programmer doesn't use them or misuses them, it doesn't mean that PHP is to blame when an app has a security issue. For example, you can prevent SQL injection by sanitizing input and using prepare/execute (available in both PDO and PEAR::DB). Not taking these steps is done at your own risk. Just like driving without a seat belt.

      Scott Mattocks

    • Yep, just like driving.... After a couple years you're cruising at 20mph over the limit, fiddling with the radio, putting on makeup, dialing on the cell phone, and changing clothes with an extra-super-big-gulp between your legs, a whopper in one hand, and a PDA in the other.